![](\"https:\/\/media.wired.com\/photos\/5c82d0d8b235600ed923924c\/master\/pass\/Update-Your-Chrome_Final_02.gif\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Fri, 08 Mar 2019 21:18:06 +0000<\/strong><\/p>\n This week, Google announced<\/a> that it had patched a wicked vulnerability in Chrome, by far the most popular browser in the world<\/a>. Not only that, the search giant also confirmed that hackers had been actively exploiting the bug, in tandem with one found in Windows. Soon after came a wave<\/a> of reports<\/a> imploring people to update Chrome right now<\/em>. But thanks to Google\u2019s embrace of auto-updating its software, for most people it was already taken care of.<\/p>\n Software updates are a pain no matter how you shake it. The MacOS prompts never leave you alone. Automatic Windows 10 updates ask you to restart your PC at the least convenient times. And fresh versions of iOS seem to brick phones<\/a> every couple of years. You\u2019d be forgiven for wanting to just forget the whole thing.<\/p>\n Don\u2019t! Keeping your software up to date is the easiest way to protect yourself<\/a> from hackers, and letting it happen automatically is the best way to guarantee that it actually happens. \u201cAs a security practitioner, I am a strong advocate for auto-updates, especially when it comes to consumers,\u201d says J\u00e9r\u00f4me Segura, head of threat intelligence at security firm Malwarebytes.<\/p>\n Take the case of the recent Chrome zero-day vulnerability. Rather than forcing a pop-up on however many millions of open browsers, prompting all of those users to install a patch, which many of them would likely have put off or ignored, Google\u2019s security team just pushed the fix. Done. Well, almost done: In this case, because the attack targets actual Chrome code and not that of a plug-in like Flash, you still have to restart the browser to effect the change. It\u2019s a significantly lower bar, though, and one that\u2019s going to keep substantially more people safe than an elective update would have.<\/p>\n \u201cMy impression is that most people don\u2019t want to think about security. It\u2019s more of a burden than anything,\u201d says Josiah Dykstra, technical director at the National Security Agency. \u201cEven if they say they want to be secure, they either don\u2019t have the expertise or the desire to do a lot of work.\u201d Nor should you have to.<\/p>\n There are some clear exceptions here. Plenty of medical and industrial systems can\u2019t apply updates blindly; any unintentional bugs could result in catastrophe. And people who tinker with their software\u2014security researchers, hobbyists, and so on\u2014are rightly careful about any changes they introduce to their devices. Those are cases in which the cure can genuinely be worse than the disease.<\/p>\n But for your average smartphone or laptop owner? Go auto-update all the way. Yes, you\u2019ll run into some performance hiccups, but they\u2019re worth it for the overall peace of mind. In fact, thinking of it in terms of those trade-offs puts the onus on you rather than the companies that push out faulty patches. Spend that energy demanding more from Apple and Microsoft and Google and whoever else is responsible for shaping your digital experience.<\/p>\n \u201cThe vendors need to do a better job of vetting the patches before they go out and providing an emergency rollback on the end-user side,\u201d says Gene Spafford, a computer scientist at Purdue University and prominent cybersecurity researcher who cowrote an essay<\/a> last year with Dykstra about so-called disappearing cybersecurity. A mechanism like that would help quickly undo any worst-case scenarios versus forcing you to wait for the fix to the fix. Which, it should be noted, also needs a fix sometimes<\/a>.<\/p>\n Fortunately, Windows 10 auto-updates by default. Apple offered it as an option for the first time in iOS 12, but you have to opt in. To do so, head to Settings > General > Software Update > Automatic Updates<\/strong> and toggle over to turn them on. As for Android\u2014and as with all things on Android\u2014it depends on what device you\u2019ve got, but generally speaking you have to wait until you get a notification that an update is ready for you in order to install it.<\/p>\n And then there\u2019s the Wild West of the internet of things. Many IoT devices lack not only automatic updates but any way to update software at all<\/a>. That especially is a shame, because there\u2019s no category of device that would benefit more from constant, hands-off improvement than those that have no real interface to speak of. The last thing you should have to worry about is your webcam shouting bomb threats<\/a> at you.<\/p>\n \u201cThat\u2019s an area of concern. If IoT devices have vulnerabilities, they\u2019re going to be widespread,\u201d Spafford says. \u201cWe don\u2019t have a climate yet that really holds [manufacturers] responsible to better behavior.\u201d<\/p>\n The good news is, the wider consumer-tech industry is starting to embrace auto-updates more. If there\u2019s a silver lining to security meltdowns like the Chrome bug, it's that it draws attention to the upsides of a set-it-and-forget-it approach for most casual consumers of technology that goes beyond just getting the latest bells and whistles first.<\/p>\n \u201cIf people see the value in auto-updates, they generally tend to see the value in product stability for features more than security,\u201d Dykstra says. \u201cThe security benefit is a very hard thing for consumers to see.\u201d<\/p>\n All the more reason to make the whole process as invisible\u2014and painless\u2014as possible.<\/p>\n