Voir en

français

Computer Security: When auto-update is not so auto

|

With more and more random software installed on our laptops, tablets, smartphones and other devices, more and more security risks creep in. Every piece of software is a security risk. Every piece of software comes naturally in an imperfect state, with human-implemented weaknesses and vulnerabilities to be discovered. Fortunately, many software vendors (but far from all) have put systems in place to fix discovered vulnerabilities and weaknesses as soon as possible. And with “auto-update” enabled, your device might just install that new version and keep you safe. Unfortunately, not every auto-update is so auto.

What is meant by “auto” can vary widely. Usually, it is expected that, with “auto-update”, new versions are discreetly installed in the background. In other cases, the update process might be verbose with pop-ups and message windows, or even require a reboot. But some “auto-updates” don’t even self-launch. They’re actually not that “auto” at all, but require you to take action – to take responsibility and get it going by scheduling and launching the update process yourself. And this is where the process fails. Lazy people as we are. And so, lazily, we put the security of our devices at risk.

We shouldn’t. Our digital life depends heavily on the security of our devices (see our Bulletin article on apartments). Just think of the mess you’d be in if a malicious, evil attacker got access to your device(s) – to your hard disk, documents, photos and files. To your camera and microphone. To your keyboard and the keys you type. Malicious access obtained. Data gone. Passwords gone. Privacy gone. Confidentiality gone. Your digital life gone. And with it your work, and the security of CERN. Terminated. Game over. Bye-bye.

For the sake of protecting our digital life – for the sake of protecting our Organization, too! – we should secure our devices as thoroughly as we can. We should ensure that our entire installed software stack is always up-to-date. We should ensure that “auto-update” really means “auto” and is configured to be “auto”. We should allow software demanding to be updated to launch its update process as soon as possible, whether immediately or overnight. And we should refrain from postponing updates forever. Ignoring them. Suppressing them. Because a missing update implies an unfixed weakness and vulnerability. Because a missing update poses a risk – to your digital life and to the Organization. Intervening manually to make “auto-update” really “auto” would reduce that risk. Thank you for securing your digital life. And CERN.

________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.