07 November 2019

What’s the Most Secure Way to Handle OS Upgrades?


upgrade-os-safely

Your computer’s operating system may or may not be designed with security in mind, but without ongoing software updates, your computer is vulnerable. How do operating systems handle sending out these updates and which approaches are the most secure?

Why Do We Need Software Updates?

There are three key reasons software updates are important.

  • New Features: OS developers provide new features all the time. We want them. Gone are the days when you buy a new box to get the new code. Now you get the goods via software updates.
  • Security Patches: It’s impossible to know all of the vulnerabilities in a program before releasing it into the wild. Updates containing security patches bolster the defenses of the code running on our devices. You can mitigate much of your risk by running the latest versions of software.
  • Ongoing Support: These days we declare a device alive or dead not based on whether it still works, but rather if it still receives updates. A device that no longer receives updates is one that will gradually lose access to newer apps, successfully loads fewer websites, and becomes increasingly vulnerable to exploitation.

There are two ways to distribute these updates. One approach is a centralized model, where a single company manages all of the updates that go to your device, regardless of which brand or model you use.

In a decentralized model, the components that go into your OS come from many sources. There is a degree of separation between the developers and those who package all those various parts together for users.

Both approaches have their pros and cons. Proprietary desktop OSes such as Microsoft Windows, Apple macOS, and Google Chrome OS all take a centralized approach. GNU/Linux has a decentralized model.

How Microsoft Windows Distributes OS Updates

Windows 10 on a Dell convertible laptop
Image Credit: Microsoft

Microsoft distributes OS updates to anyone with a Windows PC. These updates go out based on what version of Windows you run.

For most of Windows’ history, switching to a new version of the OS was expensive. This encouraged many people to continue using older versions. With Windows 10, the situation is different. Microsoft provided Windows 10 for free initially and has said that rather than release another major upgrade, the company will now focus on iterating the desktop through software updates.

Microsoft has traditionally supported popular versions of Windows well after the release of one or two successive releases. Windows 7, for example, still received updates half a decade after the release of Windows 10.

Windows Update automatically downloads updates and forces users to install them. This can be frustrating, but it keeps computers up to date. Just make sure you create regular backups. While unlikely, system updates can botch your installation of Windows (or any other OS for that matter).

Security Assessment

Microsoft is transparent about how long Windows releases will receive support. This helps users make informed decisions about their hardware purchases. Forced updates also keep users patched and up-to-date, protecting more of us from exploits.

Still, a large number of Windows users aren’t using Windows 10. Some are using versions that are severely out of date, making the Windows landscape as a whole a vulnerable and easy target.

How Apple macOS Distributes OS Updates

macOS on an Apple MacBook

Apple provides OS updates directly to users via a dedicated Software Update tool. Unlike Windows, macOS does not automatically update your OS, but you can turn that feature on. Manual updates give you time to backup your data before getting new software.

Apple doesn’t explicitly state how long it will support each version of macOS. Generally, the three most recent releases will receive security patches. With new versions arriving every year, that means you can expect roughly three years of support.

Unfortunately, the end of life for older releases can arrive at any time without any heads up or official announcement. Apple’s security updates page shows what updates have arrived but not how long they will keep coming.

This doesn’t tell the whole story. Generally speaking, there’s little reason not to upgrade to the latest version of macOS. Changes tend to be more iterative compared to the revolutionary changes that took place between Windows 7 to 8 and Windows 8 to 10. Upgrades were relatively cheap in the past, and now they’re free.

Since macOS is only available on Apple hardware, the company can explicitly list which devices it will support. Unfortunately, if your MacBook or iMac is not on the list, you’re out of luck. You must now replace macOS with Windows or Linux to have an OS with ongoing updates, even if your hardware is technically perfectly capable of running the latest version of macOS.

Security Assessment

Manual updates give you time to back up your data, but many people choose to never install updates, leaving them more vulnerable to exploits. Apple also doesn’t tell us when a given OS release will reach the end of its support period.

On the flip side, Apple generally supports a given computer model for many years. Just make sure you consistently upgrade to the latest OS. You can check out Apple’s list of obsolete products.

How Google Chrome OS Distributes OS Updates

Google Chrome OS on a Samsung convertible laptop

On a Chromebook, updates are quiet and automatic. It doesn’t matter which device you buy, if your model is supported, you will receive each update in a matter of days. Google manages most of the software experience, so Chrome OS feels the same regardless of which Chromebook you buy.

Google provides updates on a regular schedule. Maybe OS updates come roughly every six weeks, with security patches and software updates arriving twice as frequently. You have the option to turn off automatic updates if you prefer.

But Google is not transparent about how long each Chromebook or Chromebox will receive support. The company doesn’t actually base support times on operating system version (like Microsoft) or specific devices (like Apple). Instead, Chrome OS support depends on which chipset sits inside your machine. Google promises to support each chipset for six and a half years after launch.

That poses a problem. Most of us do not know what hardware lies underneath our keyboards. We can easily buy a Chromebook using a chipset that’s been around for five years already, without knowing we will only receive one and a half years of support.

Thanks to Chrome OS’s design, the danger of going without software updates is magnified. Since Chrome OS combines the web browser with the rest of the OS, when OS updates stop, your web browser will no longer receive updates. This is not the case on other platforms, where you can update apps separately.

Security Assessment:

Chrome OS strikes a nice balance between keeping users up to date with automatic updates while giving us the freedom to upgrade at our own pace by doing things manually. But the company’s support period is largely obscure and, given Chrome OS’s design, substantially more important.

How GNU/Linux Desktops Distribute OS Updates

Purism Librem 13 privacy laptop
Image Credit: Purism

We usually refer to GNU/Linux simply as Linux, but in this case it’s important to clarify things. Google’s Chrome OS is based on Linux, but how it operates is fundamentally different from other versions of Linux based on GNU software.

There are hundreds of different GNU-based desktops you can download. Most give you a degree of freedom on how you approach software updates. Generally, notifications will arrive automatically, but you must manually download and install the update. You can do so using a simple app or the command line.

How often you receive updates depends on the size of your chosen Linux distribution. You can use a given version of Linux until your machine no longer meets the minimal system requirements, which for a growing number of Linux desktops means a 64-bit processor.

If you use a more niche version of Linux, you have a greater risk of losing access to updates due to the project ceasing to exist. Under such circumstances, you’re free to switch to another version of Linux and keep on trucking.

Security Assessment

GNU desktops have the longest support life. Your desktop will continue to work for as long as your hardware meets system requirements. And if your preferred Linux distribution does end support, you can just switch to another.

Updates are not automatic, but there are other aspects of the way free software gets distributed that have a larger impact on whether the various parts of your OS are truly up-to-date. Since software is not produced in a central location, new updates and patches may be available for months or years before the people who make your version of Linux get around to packaging and releasing them.

Which Method Is the Most Secure?

In this case, the means is less important than the ends. If you manually update your PC every day or two and keep software up-to-date, then your machine is effectively as secure as one that receives automatic updates.

Making updates automatic primarily prevents machines from going months and years without updates, becoming susceptible to long-fixed vulnerabilities that make not only those machines but, due to botnets, the rest of us less safe.

Read the full article: What’s the Most Secure Way to Handle OS Upgrades?


Read Full Article

No comments:

Post a Comment