It Is Way Past Time for Default Auto-Patching

The recent widespread logj vulnerability (https://www.cisa.gov/emergency-directive-22-02) has once again begged the question of why we do not have automatic patching on all software and firmware?

I can tell you why and why it is time to do it anyway.

Unpatched software has been the number one or two top computer security problem for over three decades. Right now, it is a strong second to social engineering. Unpatched software is estimated to be involved in 20% to 40% of all malicious digital compromises.

Whenever a new vulnerability is announced and a patch is offered, a certain non-minor percentage of instances will NEVER get patched. What that percentage is varies depending on the patch and the involved component. But almost every patch follows a pattern similar to this:

·????????About one-tenth to one-quarter of impacted components get aggressively patched within one to two weeks of the vendor’s patch announcement

·????????About one-quarter to one-third of impacted components get patched within the next month or two

·????????Another one-quarter to one-third will be patched within the next year

·????????A small percentage will be patched in the following years

·????????And some percentage, usually ranging from a few percent up to 25% will never get patched

Over a decade later, there will be something like 2%-15% of impacted instances never patched.

When I was at Microsoft (nearly four years ago), some of the most popularly reported or noted vulnerabilities were from over a decade ago. Code Red anyone? Almost all the Microsoft Office users getting exploited because of Microsoft Office vulnerabilities were from holes that were patched over five years ago. I remember thinking, “Do we blame Microsoft because people are not applying patches from five years ago?”

The problem is that patching often is not easy. It often does not work. It almost always interrupts our work. It makes us close windows, lose our places and re-start or reboot. And more importantly, some large portion of our population simply is not aware that patches need to be applied. Sometimes even if I care a lot, I do not know if there are patches that need to be applied. I cannot tell you whether my Wi-Fi router or cable mode is missing patches. Well, I can log into my Wi-Fi router and tell it to check to see if updated firmware is available. But I do not know how to check for patches on my cable modem and I do not have admin privileges to apply them anyway.

A lot of the world’s missing patches are firmware, appliances and IoT patches. Firmware and appliances are just another way of saying, “harder to patch software”. ?Does my Ring doorbell need to be patched? How about my security cameras, home automation network, smart plugs and smart appliances? Actually, I know how to check on most of those…but it is a pain. I have to log into each one or start the right app and specifically find the place where they hide the firmware or software update functionality and run it.?But how many people know how to do it? How many people know they need to do it?

We are long past the time when all software, firmware and device manufacturers should enable automatic patching by default. Every single thing that could possibly require patching should check at least daily and simply apply the patches, without asking permission. At least by default. Each device should allow the owner to disable the default auto-patching.

Why Is Auto-Patching Not Already the Norm?

I think most people using software or devices that auto-patch themselves, like Google’s Chrome browser, wonder why all software and devices do not automatically do it. I used to wonder the same thing before I worked for Microsoft. It comes down to service interruption and customer satisfaction. Patches cause interruptions and sometimes break things and impacted people get mad. Mad people are less likely to re-buy those involved products. Some of those mad people sue the company that made the patch, especially if they were forced to apply it.

If given even a minor chance to delay a patch, most people will. When Microsoft Windows was less aggressive about patching, Windows users were notorious for not applying needed patches. It was not at all unusual to have Windows users who had not applied a single patch in over a year. The few times Microsoft tried to require that all users always be timely updated, they were successfully sued. That is why you have the convoluted patching schedules that Microsoft now supports, where some actively supported customers can be a major version or two behind, but not more than that. Of course, Microsoft still has tens of millions of unsupported Windows versions out there. Just a few years ago, I was helping a company with their Windows for Workgroups 3.11 installation issues (that version of Windows was released in the 1990s).

Some people cannot upgrade, because some device or functionality they need and use only works with a specific version of software. Upgrade it and you break the functionality. This is terrible and I do not like it, but it is ?a reality for millions of users. ?

Every patch has the potential to cause unexpected downtime. For that reason, most patch management experts tell users to test patches before applying…certainly in the enterprise environment. That way, if there is a problem, it will hopefully be caught during testing and allow the implementer to avoid unnecessary downtime. If you push automatic updates by default, it does not give most people a chance to test before they get applied.

Even if all the patch does is require a restart or a reboot and causes no other downtime than that, some non-minor percentage of customers will not be happy. You have interrupted them, their business or their customers. A patch could cause the loss of service or revenue. If you force patches upon users and they experience expensive downtime, who do you think they want to sue?

Forced patching could actually cause life threatening issues in many scenarios. Who knows what software, firmware and devices are being used in particular life-threatening scenarios? ?So, maybe we make one carve out an exception that says any software update that could cause a life-threatening scenario does not get automatically pushed? Well, I guess we do not automatically update any cars or trucks either. Who wants to be responsible because some person was prevented from operating their vehicle appropriately?

Some vendors, like Google, have been pushing automatic updates by default on end users for over a decade. And for the most part, it works. Most of the cloud-based software we all use gets updated all the time and we do not know about it (unless they tell us). More and more, software is auto-updating itself. It is just not most of it.

We need a new rule, maybe even a law, that says that all software, firmware and devices must check for patches at least once a day and apply them when they are available. By default. Allow people to disable that functionality if they want, but make the default be better security. It might even take a change in laws to let vendors automatically escape legal consequences if their automatic updates cause unexpected downtime.

I only know that this hodge-podge of inconsistent, different methods of patching, where in most cases, a user must actively work to look for and apply patches is not working! We need to do something different. So, this is my solution to improve patching rates:

·????????Every vendor developing a software program, app, firmware or device that could possibly require patching should enable default auto-patching, where it checks at least once a day and automatically applies any found patches during the “off hours” of the given time zone

·????????Allow knowledgeable users to opt out of auto-patching routines

·????????Vendors receive some limited legal protection against issues caused by their patches as long as the vendor did their due diligence and testing to make sure their software would not cause significant problems

This does not solve everything. For example, if a vendor goes out of business or no longer supports a particular version of their product, how would that product be patched and maintained? But I think requiring all developers to include default auto-patching in their product would significantly reduce the number of exploited products, and that would be a wonderful thing.