• United States



Contributing writer

Why users don’t often upgrade software when they should

Jul 30, 20125 mins
Application SecurityIT LeadershipPatch Management Software

Survey finds users ignore update reminders, eschew 'new' features

Many users don’t update to the latest version of the software on their computers because they’re not sure the updates are safe or remain unconvinced that any new features will be useful.

Those are among the findings in an online survey of users in the U.S., U.K. and Germany by Skype, Adobe, Norton and TomTom timed to coincide with last week’s International Technology Upgrade Week (ITUW). About 40percent of the respondents — 42percent in the U.S., 41percent in the U.K. and 37percent in Germany — admitted they don’t upgrade software when they should.

The survey found that most respendents want the safest version of their software, but don’t always trust on-screen reminders, thinking they might be scams from hackers that contain malware.

Those concerns are well founded, according to Paul Ducklin, writing on the Sophos Naked Security blog. He said cybercriminals know that many users will eventually respond to multiple upgrade prompts.

[See also: 10 commandments of Windows security]

“It’s one of the reasons that fake anti-virus software keeps pestering you with warnings, and why the support call scammers phone over and over again to try to coerce you into paying for their fraudulent help,” Ducklin wrote. “Don’t agree to upgrade or update just because you’re nagged about it.”

Still, he and others in the security industry say it’s important to stay current with security patches, even if they include features users don’t like. And skeptical users who fear an update might be fake can visit a vendor’s website and download the update from there.

Beyond security concerns, users are not always impressed with what vendors pitch as “cool new features” in upgrades. A quarter of survey respondents saw no benefit in an upgrade and about the same percentage said they don’t even understand what some upgrades will do. One in five respondents worried that the update would slow down their computer, and 18percent feared new versions of their software might have bugs.

Chester Wisniewski, senior security adviser with Sophos, is sympathetic. “Sometimes really big companies do some really stupid things,” he said. “If you download Adobe Flash Player from the updater and not the website, it bundles other stuff with it. If you update Java, you get Bing in your toolbar. When companies start bundling crapware, people do get resentful.”

Indeed, some of the readers commenting on Ducklin’s blog post are openly resentful of vendor upgrades. There are too many smarmy companies that want to update their software and drop all kinds of junk on unsuspecting users,” said one identified as Internaut. “For most people, they don’t have a[n] idea what they should do with ‘Custom installation,’ so [they] opt for the ‘Express’ method where they end up with yet another toolbar….”

Other installers add “third-party company’s [sic] junkware by installing their free icons, smileys, wallpapers,” Internaut argued.

Security experts said vendors should be more responsive to customers who want security updates, but prefer to stick with a version that’s familiar.

Bruce Schneier, chief security technology officer at BT and writer of the Schneier on Security blog offered a brief, “Yes and yes,” when asked whether complaints about unneeded, unwanted features are legitimate and whether software companies should be paying more attention to updates.

Sharon Nelson, an attorney and president of Sensei Enterprises, a computer forensics and legal IT firm, noted that users are reticent to download updates with new features. “What Facebook calls a feature can be a privacy issue,” Nelson said. “Some of the ‘features’ may cause problems with other software. Some features just add to software ‘bloat’ when you don’t need them.”

Sophos’ Wisniewski said some companies are responding to those issues. He pointed to Red Hat, which was one of the first companies to offer long-term support for a software release. “They offer guaranteed support – security updates, but no other changes. And you’re starting to see other vendors doing the same thing. Firefox is one of them.”

Firefox has received praise in recent months for the way it is handling security. Apple has also recently moved to beef up the way it delivers security updates.

Most companies, he said, are seeking a middle ground because, “the cost of supporting old versions for years is enormous.”

Microsoft, which has continued support for the aging Windows XP, will be dropping that support in April 2014, Nelson said. “At that point, it will be critical to upgrade to a new OS, because there will be no more security updates or bug fixes.”

Businesses have more options than individual users, said Wisniewski. “For the enterprise, it’s important to have stable platform,” he said, “So you should ask (a vendor) how long is their support cycle and where are they in it. You almost always have [the] option of long-term support…with just security patches.”

For users, it is critical to keep software updated. “My advice is, as much as you hate that stuff, you have to do it,” Wisniewski said. “It’s just not safe otherwise. He sees computers with out-of-date software, “getting compromised all the time – it makes it easier and easier for criminals.

“Usually, in 75 [percent] to 80 percent of those cases, the patch has been available for six months.”