Why you can’t always trust a software application security update.

Published by Derrick Jennings

News on 30 Apr , 2016

Conventional wisdom has it that security updates must always be applied as soon as they are available. Here’s why at Conceptuallysorted we’re not convinced that such advice is always appropriate.

Microsoft update interrupts weather broadcast.

Metinka Slater (pictured above) is the unfortunate victim of what some might call a blatant abuse of the Windows Update Service, a service created by Microsoft to install security fixes and to add new features to the Windows platform.

Let’s not pretend otherwise, creating great software is difficult and making that software secure is even harder. As a result, it’s not unreasonable to expect users of that software to apply security fixes in a timely manner. Doing so ensures that they remain protected from the bad guys and continue to enjoy a secure online experience.

It is also not unreasonable for users of that software to expect that their existing workflows will be respected and that their devices will remain operational. So it can be seen that in order to have a secure (and therefore safe) internet trust is required from all parties. Trust that software updates will be applied and trust that those updates will do no harm.

Microsoft has broken that trust. They used the Windows Update Service to release an advertising update KB3035583. This update has no value to its recipients and has more in common with malware than software produced by a reputable organisation. It is also the cause of the embarrassing situation that has been captured in the image that accompanies this post. Such tactics make users wary of installing software updates making the internet less secure and therefore less safe for everyone.

Microsoft is not alone in eroding user trust. Apple, Lenovo, Dell and Sony to name but a few have all in one way or another undermined the trust that must exist between the provider and the user of modern software. However, Microsoft must be singled our for a special mention. With consumer versions of Windows 10 they have removed the user from the trust equation altogether. Choosing instead to make the automatic download and installation of their updates a condition of its use. It’s not at all surprising that Ms Slater is reluctant to upgrade. The intrusive, passive-aggressive tactics employed by Microsoft are unlikely to win it any friends and I believe will do more harm than good.

Ultimately, the designers of software must own up to their responsibilities and obligations in building trust between them and their users. Until this is the case it is difficult to support the argument that software updates must be blindly installed as soon as they issued in the belief that they will do more good than harm.