It shouldn't happen to an IT consultant
Spend your time doing business, not IT.
Monday 22 September 2008, 11:42 PM
Patching things up
Who can blame them? The message has got through that unexpected malware is pushing web pop-ups, many of which appear to be genuine dialog boxes, that should never be clicked on. Things seem to be working, so it appears a logical choice to play safe and ignore the messages. Logical, but wrong.
User are faced with a mass of different updates messages, that typically include; Windows, Office, Java, Flash, Acrobat Reader and frequently Real Player, QuickTime, iTunes, a CD/DVD writer and player plus browser toolbars.... I could go on.
Things aren't made easier by an almost total lack of consistency. For example, Flash Player presents a message that looks rather like a pop-up advert after boot-up, Java and Windows a yellow balloon from the icon dock, and Acrobat Reader a dialog within the application. There's some help to be had via applets that upgrade several applications in one place such as the Install Shield and Google updaters'. But yet another way of doing things is hardly a solution.
Some auto-update by default. Many others don't. Microsoft update (and Vista's equivalent) must be manually enabled to ensure Office is updated along with Windows. Java, Flash, Install Shield and Google Updater, on the other hand, ask the user to agree to each update.
There's always a risk that an upgrade will cause problems, but that risk is far lower than running software with known security flaws. Many large organisations sensibly delay updates until they have been thoroughly tested in-house. Corporate machines though are locked down far tighter, users have less freedom to control their PC and reduced access to the web (often to the detriment of productivity). As a result the risk posed by un-patched software is much smaller. Testing isn't practical within smaller companies while users more commonly need, and certainly demand, full control over their machine with access to all of the Internet.
It could be argued that waiting 24 hours, then Googling each update to check for serious problems strikes a balance between malware risk and a bad patch, but nobody's done the research to find out. In any case, in the real world I doubt many would bother, faced with other work demands. It seems to be a law of nature that the upgrade requests pop up just when you really need to use the software for an urgent task - so saying no removes the chance of a long and potentially disruptive delay.
Users should be told why it's so important to click OK - or at least, encouraged to ask someone who knows when the request pops up. And this is another reason to run as much of the software that your users run, so you can be prepared to answer - or even put out an email letting people know what to expect, and what to do.
In the longer term I dream of the day when developers, ensure all applications, by default, auto-update via a daily patch check, or at the very least ask how they are to behave during installation. Perhaps I should eat more strong cheese before bedtime.
PreviousComments on this post
This is a very good post, about a very important issue. But what can be done to solve the problem? To take the absolute simplest example, how can the average user be expected to differentiate between the now-infamous "Spyware detected on your computer, click here to remove it" pop-up, and the (probably) legitimate pop-ups or balloons that you describe for Adobe Flash, iTunes, or whatever other software they might happen to have installed? The obvious solution is to have a "known and trusted" authority to provide verification of updates. In fact that is what you are suggesting with "ask someone who knows", but at the moment the only candidates for that "someone" seem to be friends, family members or paid consultants. For a large portion of computer users there simply aren't any such friends or family members available, and very few are willing and/or able to pay a consultant to be available for such calls. The result is that rather than calling to ask if a given update notification is valid, the call only comes through when it is "too late", and the computer has a problem, either as a result of installing an invalid update, or not installing an update that would have prevented an attack.
Could there be some "central authority" to approve patches and updates which would then be automatically installed? There have been good and bad examples of this. Microsoft has made a sort of an attempt at it, especially by extending "Windows Update" to "Microsoft Update" and including various other packages in it. But their credibility is rather low with a lot of people (including me), and there are some serious conflicts of interest there as well. Apple has recently tried to do some of the same, by bundling iTunes/QuickTime/Safari updates and distributions together, but that hasn't met with much acceptance either - again because of trust and conflict of interest issues.
On the positive side, those who get Linux distributions from Ubuntu, Mandriva and the like will also automatically get patch and update notifications from them as well. This at least gives the user a one-click overview and approval procedure, not only for the Linux core but also for the packages that have been included by the distributors, such as Firefox, Thunderbird, OpenOffice and other common tools and applications.
That looks like a good start, but of course it only helps the Linux users, and it is only going to be a valid option for as long as they retain trust and credibility with their users. The recent episode with Ubuntu including Firefox 3.0.2 beta in their Intrepid Ibex distribution, with an EULA that turned out to be very unpopular, and the fact that the new Firefox release had some problems, is not a good sign. At least this was only done in an alpha release of Ubuntu, hopefully it will not be repeated in a regular end user release.
As far as Windows systems, utilities and applications go, I don't see any substitute for the "friends and family" network in the foreseeable future.
jw 23/9/2008
Hi JW,
My biggest problem with a trusted authority is that to be of any use they must check software for malicious and spyware. Aside from who's to be trusted to do this, and how they make the judgment call when things are borderline my greatest concern is cost. Developers will need to pay for this, that at stroke would wipe out most of the small and open source makers of apps. I can't see how software under such a system could ever be free (in both senses of the word).
An integrated updater in the operating system is one solution, but to be of use in the closed source world it would need to update all installed software, malware or not. It risks becoming yet another vector malicious software uses to sneak its way onto a system.
When Linux on the desktop is is common enough to attract significant amounts of malware I suspect updating via (moderately)trusted repositories will become more problematic, though perhaps that's not insoluble if enough volunteers are prepared to put the work in deciding for us which apps are to be trusted. I predict the bad guys popping up as trusted volunteers followed by an awful lot of flame wars and messy infighting. Nonetheless the collaborative open source world is good at this sort of problem. The solution may not be perfect but whatever emerges is unlikely to be worse that today's mess.
Adrian
Adrian, I completely agree with you. There are major problems with both trust and cost in whatever system one tries to come up with. But the FOSS community has come up with very good solutions to a lot of problems, and I hope they will be able to solve this one too. There is already a good start on it with the current "packaged" Linux distributions. But you are also right, once it gets to be large enough to be interesting to malware propagators, the environment will get a lot more difficult. I don't think the current system is prepared for that, so it is going to take a lot of work and a lot of improvement. I still think there is a better chance of that happening than in the closed environments, though.
jw 29/9/2008
