Un-patched Systems


An article on March 23, 2017 from C|Net reports that 71% of Android users on major U.S. cellular carriers are running phones with outdated security patches. This is an astonishing number. Unfortunately, it is not a surprising number.

Software updates have become a required component of using any device that has software in it. Bugs and vulnerabilities are discovered regularly in software, and any product needs a way to update the software running on it. However, the mechanism to update products over the years has remained largely unchanged.

I can think of four major categories of software update strategies for products:
1) A software update is silently released on a web site, requiring the user to look for it.
2) The user is notified of an update when they log into the administrative interface of the product.
3) The user is notified of an update on one of their primary user interface devices.
4) The product refuses to operate until it is updated.

There are probably a few cases that don’t fit into these four, but they are rare. I could argue that in 2017, options 1 through 3 are unacceptable. End users are not qualified to make determinations as to which security patches they should apply and when. Furthermore, in 2017, most devices are always connected to the Internet one way or the other. Automatic updates forced by the product manufacturer are a lot easier to accomplish today. In the case of an Android cell phone, the device by its very nature is almost always connected.

Gaming machines like the Sony Playstation already enforce this dynamic. When a software update is available for this device, online gaming and streaming video no longer function until the user agrees to install the software update, assuming it wasn’t already automatically installed for them. When can we expect the same level of security awareness from the rest of our software and devices?