Last Updated: 2009-07-02 00:33:46 UTC
by Daniel Wesemann (Version: 1)
As Alan Paller wrote in last week's SANS @Risk Newsletter, home PCs contain a lot of software with a lot of vulnerabilities. The recent Shockwave hole is only one example. Yes, there are tools, like Secunia's PSI, that can help in determining which software on a PC needs urgent patching. In my experience though, the average home user is not tech savvy enough to use such tools.
Some software packages try to fix the problem by building an "auto update" feature into their product. Looking more closely into how these update mechanisms work shows that many do not verify or authenticate the updates received. If recent malware like Conficker protects its updates better than application software protects its auto-downloads, something's amiss.
Even assuming that a software package does everything right, there's still the hurdle of the OS to overcome. How do you explain to your mom or uncle or grampa the difference between a "bad" UAC prompt in Windows Vista (eg. when malware wants to sneak in) and a "good" UAC prompt (eg. when Firefox wants to apply its important security update) ?
Basically, a message box telling a user that a program needs updating doesn't work anymore. We've seen just too many pop-ups, too many annyoing requests to install Chrome or Silverlight or - worse - SuperMegaAntivirus2009, and this has left the users largely immune to anything that requests installation. The more glaringly something asks for attention, the higher the chance it will be ignored.
Microsoft has come a long way with Windows Update. Of course we still worry about the PCs of our family members whenever there's a new vulnerability, but once the patch is out, we know we can stop worrying: Windows Update works well enough that on all PCs of friends and family that I was recently pressed into duty to "check out", the Windows patches were actually current.
Now .. how do we get to the same level with all the application programs ?