The Problem with Auto-Updates

In late December, Intuit - makers of Quickbooks - released an update on Quickbooks 2006 for Macintosh that went beserk and destroyed all the data on the desktop.

Ars Technica covered the story and here's Intuit's take on it.

This issue highlights one of the primary weaknesses of today's computing systems: updates are a necessity of modern systems (both for bug fixes and feature enhancements), but can we really trust them?

We've all been taught by mass media coverage that doing these updates is good practice. A lot of the time, they are released to prevent a security problem that might result in malware causing havoc on our sacred computer. Yet, if the Quickbooks update has taught us anything, it's that we can't just be robots when it comes to this stuff. Our data is too important and the people writing these updates can be - to be frank - dumb.

There are two big problems with how updates are done on today's Mac OS X and Windows systems: the frequent need for Administrative access and "the human factor." For both of these problems, there are no easy technical solutions.

The Need for Administrative Access

When run, updates frequently ask for permission to have access to the system username and password. Most of us just type in our user and password without a thought. The result: putting in an administrative username and password gives this program complete access to all of the files on your computer.

These updates need that access. They have to update files in system areas which are off-limits from standard users.

The problem is that we get dulled to typing in the username and password every time we're asked for it. So after the 100th update on our machine, we're trained just to type it in no matter what is asking for it.

Eventually, someone will come up with a sneaky way to get a virus onto our Macs, and it will ask for access - and if you don't think about it, you give it complete access to your system.

"The Human Factor"

Even worse is that a piece of software doesn't even need this level of access to cause the type of damage that the Intuit update did. Files on your user's desktop or documents folder are not protected by this administrative password.

Intuit's update didn't ask for administrative access - it just did its damage when you launched Quickbooks, which updates itself by default.

There was, essentially, no way to stop it, other than finding out about it first before opening Quickbooks. And who has time to research updates before they happen?

The Solutions

So what's the solution? More Human Factors. Good ones.

First, you shouldn't type your administrative username and password unless you know why your system is asking for it.

Sure, if you've pressed "Update" on OS X's software update or another program (like Microsoft or Adobe's updaters), your system has a reason to ask for it. But if you're downloading an image off of the Internet or clicked on a link in your mail that's supposed to be a YouTube video - don't enter your username or password if prompted.

Second, count on the professionals. IT firms exist because computers are perfect at replicating human flaws. For Intuit, computers replicated a flawed update and hundreds (maybe thousands) of users to lose their files. In the end, you need smart humans to protect you from human stupidity (not a slogan that you'll find for many IT firms).

Tech Superpowers, for instance, called all of our Quickbooks customers to morning that we heard about this issue. We caught all of them but one - unfortunately, even our Superpower speed wasn't fast enough.

As part of our Managed Macs managed services, we also turn off all auto-updating systems on your Mac - and perform the updates for you on a monthly basis after we've verified that each one is ok.

Finally, always have a updated backup. Leopard's Time Machine built-in backup software is a great solution to make sure that a bad update won't stop you in your tracks, and there are options for 10.4 and 10.3 users as well.

While no set of precautions is perfect, hopefully keeping these solutions in mind will keep anyone from losing data the next time that human stupidity or maliciousness strike Mac users again.

Blogs

Upcoming Events


	The Problem with Auto-Updates oh's blog Login or register to post comments In late December, Intuit - makers of Quickbooks - released an update on Quickbooks 2006 for Macintosh that went beserk and destroyed all the data on the desktop. Ars Technica covered the story and here's Intuit's take on it. This issue highlights one of the primary weaknesses of today's computing systems: updates are a necessity of modern systems (both for bug fixes and feature enhancements), but can we really trust them? We've all been taught by mass media coverage that doing these updates is good practice. A lot of the time, they are released to prevent a security problem that might result in malware causing havoc on our sacred computer. Yet, if the Quickbooks update has taught us anything, it's that we can't just be robots when it comes to this stuff. Our data is too important and the people writing these updates can be - to be frank - dumb. There are two big problems with how updates are done on today's Mac OS X and Windows systems: the frequent need for Administrative access and "the human factor." For both of these problems, there are no easy technical solutions. The Need for Administrative Access When run, updates frequently ask for permission to have access to the system username and password. Most of us just type in our user and password without a thought. The result: putting in an administrative username and password gives this program complete access to all of the files on your computer. These updates need that access. They have to update files in system areas which are off-limits from standard users. The problem is that we get dulled to typing in the username and password every time we're asked for it. So after the 100th update on our machine, we're trained just to type it in no matter what is asking for it. Eventually, someone will come up with a sneaky way to get a virus onto our Macs, and it will ask for access - and if you don't think about it, you give it complete access to your system. "The Human Factor" Even worse is that a piece of software doesn't even need this level of access to cause the type of damage that the Intuit update did. Files on your user's desktop or documents folder are not protected by this administrative password. Intuit's update didn't ask for administrative access - it just did its damage when you launched Quickbooks, which updates itself by default. There was, essentially, no way to stop it, other than finding out about it first before opening Quickbooks. And who has time to research updates before they happen? The Solutions So what's the solution? More Human Factors. Good ones. First, you shouldn't type your administrative username and password unless you know why your system is asking for it. Sure, if you've pressed "Update" on OS X's software update or another program (like Microsoft or Adobe's updaters), your system has a reason to ask for it. But if you're downloading an image off of the Internet or clicked on a link in your mail that's supposed to be a YouTube video - don't enter your username or password if prompted. Second, count on the professionals. IT firms exist because computers are perfect at replicating human flaws. For Intuit, computers replicated a flawed update and hundreds (maybe thousands) of users to lose their files. In the end, you need smart humans to protect you from human stupidity (not a slogan that you'll find for many IT firms). Tech Superpowers, for instance, called all of our Quickbooks customers to morning that we heard about this issue. We caught all of them but one - unfortunately, even our Superpower speed wasn't fast enough. As part of our Managed Macs managed services, we also turn off all auto-updating systems on your Mac - and perform the updates for you on a monthly basis after we've verified that each one is ok. Finally, always have a updated backup. Leopard's Time Machine built-in backup software is a great solution to make sure that a bad update won't stop you in your tracks, and there are options for 10.4 and 10.3 users as well. While no set of precautions is perfect, hopefully keeping these solutions in mind will keep anyone from losing data the next time that human stupidity or maliciousness strike Mac users again. Submitted by oh on Mon, 01/07/2008 - 06:38 Public Content quickbooks