Why users don't often upgrade software when they should

Many users don't update to the latest version of the software on their computers because they're not sure the updates are safe or remain unconvinced that any new features will be useful.

Those are among the findings in an online survey of users in the U.S., U.K. and Germany by Skype, Adobe, Norton and TomTom timed to coincide with last week's International Technology Upgrade Week (ITUW). About 40percent of the respondents -- 42percent in the U.S., 41percent in the U.K. and 37percent in Germany -- admitted they don't upgrade software when they should.

The survey found that most respendents want the safest version of their software, but don't always trust on-screen reminders, thinking they might be scams from hackers that contain malware.

Those concerns are well founded, according to Paul Ducklin, writing on the Sophos Naked Security blog. He said cybercriminals know that many users will eventually respond to multiple upgrade prompts.

[See also: 10 commandments of Windows security]

"It's one of the reasons that fake anti-virus software keeps pestering you with warnings, and why the support call scammers phone over and over again to try to coerce you into paying for their fraudulent help," Ducklin wrote. "Don't agree to upgrade or update just because you're nagged about it."

Still, he and others in the security industry say it's important to stay current with security patches, even if they include features users don't like. And skeptical users who fear an update might be fake can visit a vendor's website and download the update from there.

Beyond security concerns, users are not always impressed with what vendors pitch as "cool new features" in upgrades. A quarter of survey respondents saw no benefit in an upgrade and about the same percentage said they don't even understand what some upgrades will do. One in five respondents worried that the update would slow down their computer, and 18percent feared new versions of their software might have bugs.

Chester Wisniewski, senior security adviser with Sophos, is sympathetic. "Sometimes really big companies do some really stupid things," he said. "If you download Adobe Flash Player from the updater and not the website, it bundles other stuff with it. If you update Java, you get Bing in your toolbar. When companies start bundling crapware, people do get resentful."

Indeed, some of the readers commenting on Ducklin's blog post are openly resentful of vendor upgrades. There are too many smarmy companies that want to update their software and drop all kinds of junk on unsuspecting users," said one identified as Internaut. "For most people, they don't have a[n] idea what they should do with 'Custom installation,' so [they] opt for the 'Express' method where they end up with yet another toolbar...."

Other installers add "third-party company's [sic] junkware by installing their free icons, smileys, wallpapers," Internaut argued.

Security experts said vendors should be more responsive to customers who want security updates, but prefer to stick with a version that's familiar.

Bruce Schneier, chief security technology officer at BT and writer of the Schneier on Security blog offered a brief, "Yes and yes," when asked whether complaints about unneeded, unwanted features are legitimate and whether software companies should be paying more attention to updates.

Sharon Nelson, an attorney and president of Sensei Enterprises, a computer forensics and legal IT firm, noted that users are reticent to download updates with new features. "What Facebook calls a feature can be a privacy issue," Nelson said. "Some of the 'features' may cause problems with other software. Some features just add to software 'bloat' when you don't need them."

Sophos' Wisniewski said some companies are responding to those issues. He pointed to Red Hat, which was one of the first companies to offer long-term support for a software release. "They offer guaranteed support - security updates, but no other changes. And you're starting to see other vendors doing the same thing. Firefox is one of them."

Firefox has received praise in recent months for the way it is handling security. Apple has also recently moved to beef up the way it delivers security updates.

Most companies, he said, are seeking a middle ground because, "the cost of supporting old versions for years is enormous."

Microsoft, which has continued support for the aging Windows XP, will be dropping that support in April 2014, Nelson said. "At that point, it will be critical to upgrade to a new OS, because there will be no more security updates or bug fixes."

Businesses have more options than individual users, said Wisniewski. "For the enterprise, it's important to have stable platform," he said, "So you should ask (a vendor) how long is their support cycle and where are they in it. You almost always have [the] option of long-term support...with just security patches."

For users, it is critical to keep software updated. "My advice is, as much as you hate that stuff, you have to do it," Wisniewski said. "It's just not safe otherwise. He sees computers with out-of-date software, "getting compromised all the time - it makes it easier and easier for criminals.

"Usually, in 75 [percent] to 80 percent of those cases, the patch has been available for six months."

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts