How Long Should Vendors Ship Software Patches
As computers and software become more integrated into every facet of our lives, and as security attacks on our infrastructure become part of the news every day, the question of software patches and upgrades need to become a factor in purchasing decisions.
Whether it is a consumer Internet connected baby monitor (who’s bugs have compromised the privacy of mothers feeding their babies) or Smart TVs that listen in to our conversations (and send that data to China), customers – both business and consumer – need to start considering software patches in their purchasing decisions.
A couple of examples:
- Apple is very good about patching their customer’s iPhones – until they reach end of life. This week Apple stopped issuing patches for iPhone 5s and 6s. This doesn’t mean there are no more bugs nor that attackers won’t go after them. It also doesn’t mean that owners of those phones are suddenly going to crush or melt them and buy a new one.
- In January (2020), Microsoft will stop patching Windows 7 and other operating systems from that generation. Windows 7 had a good run of about 10 years. Do you still have any Windows 7 computers in your home or office? They provide patches for free for 10 years. That is a long time.
- Microsoft ended support for Windows XP years ago but many computers inside control systems like those that count your vote or make sure your drinking water is safe still run on that operating system. With many bugs and no patches.
- Most Android phone makers only patch the phones that they sell for two years from when they introduced it – not from when you bought it. some don’t patch them at all – ever. If you get your Android phone directly from Google, then that number is 3 years. There are probably close to a billion Android phones world wide that have not been patched in years.
- In business software, sometimes you can get patches, but only if you pay for updates every year. No payment, no patches. Cisco is a great example of this.
- I could write all day about this.
The bottom line is that you need to understand, preferably before you buy software what the rules are (you need to start thinking that the dishwasher or TV or copier or whatever is really software. Yes, it includes hardware, but it won’t function without the software. It won’t even turn on). Does the vendor provide patches? For how long? Do you have to pay for them? How do you install them?
A great example of this is my GE dishwasher (YOU HAVE PATCHED YOUR DISHWASHER RECENTLY, HAVEN’T YOU?). It broke down a couple of years ago and the repair person came out to fix it. Didn’t even turn it on. Mind you this is not an expensive, top of the line dishwasher – just a run of the mill one that you can get at places like Home Depot. He plugs a network cable into the dishwasher and clicks on a few things. It tells him what part is broken, he goes out to his truck and gets a replacement part. After installing it, he plugs the laptop back, a few more clicks and he declares it fixed. Never turned it on.
But he also said that he had to patch my dishwasher. This is not a smart dishwasher. It doesn’t connect to the Internet at all. GE would not let him close the service call until he patched it.
What was the patch for? Oh, it could get too hot and catch fire. Nothing important.
But my dishwasher hasn’t broken again for a couple of years. Does it need more patches? Probably, but I am not likely to pay for a service call just to see if there any patches for it.
Probably almost everything in your house or office that you connect to batteries or electricity has software in it.
One bright spot. If you subscribe to one or more cloud services, patches are included. You don’t even have to think about it.
And should be patched.
And likely is not being patched.
And likely has security flaws.
That includes every piece of software on every computer.
Do you even know what you have?
Do you track whether your TV or copier or phone or whatever has been patched lately?
Businesses are okay when it comes to patching computers. For the rest, it is pretty hit or miss.
A fact that hackers understand and exploit.
We had a client who was attacked because their copier was connected to the Internet and compromised. Cost them a fortune in credit card fraud (it’s complicated, but real).
It is not simple to solve this problem, but it is solvable. And it is pretty easy to reduce the attack surface. Do it a little bit at a time.
Think about it.