The top four reasons users don't upgrade their software (but probably ought to)

Filed Under: Adobe, Featured, Vulnerability

Bet you didn't you know that it's ITUW!

That's right.

It's International Technology Upgrade Week.

Don't worry - I didn't know, either.

ITUW probably isn't what you think. It's not a marketing pitch by electronics retailers to flog you a new TV or to get you to sign a new mobile phone contract.

Don't get me wrong - it is a marketing vehicle, and it's created an unusual promotional foursome consisting of Skype, Adobe, Norton and Tom Tom.

Nevertheless, it has revealed some interesting factoids, following a survey commissioned by the participants.

The standout figure is that 40% of users don't upgrade when they probably ought to. (Actually, Skype carefully states that 40% of adults don't upgrade. Whether children are more or less diligent is not reported.)

The primary reasons are given by Skype as:

  • Worried about computer security, so I don’t download everything I’m prompted to.
  • There is no real benefit to me.
  • Upgrades take too long.
  • Lack of understanding about what the update(s) will do.

Ouch. We're stuck in a sort of Catch-22. Downloading and running stuff whenever you're asked is risky behaviour. But not installing security fixes when they're available is risky, too.

This is a tricky dilemma, and one which Chester Wisniewski and I rather presciently happen to have discussed in a recent Sophos Techknow podcast:

(Duration 15'25", size 11MBytes)

Intriguingly, despite a 40% resilience to updating amongst those surveyed, Skype's survey reports that 25% of users admitted that "they need to see a prompt twice before upgrading software."

Be warned: cybercrooks know that. It's one of the reasons that fake anti-virus software keeps pestering you with warnings, and why the support call scammers phone over and over again to try to coerce you into paying for their fraudulent help.

Don't agree to upgrade or update just because you're nagged about it.

Take stock of the software you have; make sure you know how to update it and to check that those updates are working; and follow those update procedures regularly.

Think about it: if you don't wait until you're nagged, then you won't ever be tricked by fraudulent software which does nag!

And why not take a reductionist approach to security?

If you've got software installed for which you don't trust the updates and upgrades, or which has let you down before, why not simply get rid of it? You'll soon find out whether you really need it.

Naked Security's Graham Cluley recommended this approach to Java for Mac users back in April 2012. I followed his advice and ditched Java from my web browsing setup to see what difference it made. Turns out I could live without it, so I have.

Bingo. One less thing to worry about.

Why not try something similar yourself? Removing stuff you don't need is a form of upgrade - a security upgrade!


IUTW images from the infographic on the Skype Big Blog.

, , , , , , ,

You might like

19 Responses to The top four reasons users don't upgrade their software (but probably ought to)

  1. OneLiner · 1172 days ago

    Or you could just install something like Secunia PSI to tell you when new updates are available and let it handle them for you. I am not an employee, I just use it on my own and family PCs to keep them updated automatically. Between that and Windows Update, I have to do very little free tech support now.

  2. jandoggen · 1172 days ago

    "Lack of understanding about what the update(s) will do" should also be interpreted as "Fear that the upgrade will cause software bloat". There are companies that I am very reluctant to install updates from because they add new 'features' that I don't want. Examples: antivirus software that grows into anti-everything, firewalls idem, free programs (not just from small companies) that suddenly include toolbars etc.

    • or indeed, breaking longstanding features and changing functionality in subtly unpleasant ways, with no transparency about whether any security issues are addressed or in some cases even any choice. Android apps (and I'm looking at you, Facebook) are in my experience particularly guilty of this, with the added bonus of asking for extra permissions without adequate justification or choice.

    • Larry M · 1172 days ago

      It's not only the bloat, e.g,, the Symantec 11 which essentially locks up the comuter for 2 minutes while starting while it loads 15 MB of the same updates it got yesterday.

      It's also the size. No programmer ever fixes a bug by REDUCING the size of the software. Many people reject updates because their hard drives are nearly full and they would rather save the remaining space for user data (financial info, photos, whatever) than to protect against some obscure browser bug.

      And those of us who have had a bad experience--some important function which suddenly stops working when updates are applied--are even more wary.

  3. Bob · 1172 days ago

    I use the free Upgrade Checker from File Hippo. It doesn't seem a quirky as the Secunia tool. Run it daily or weekly, and it tells you if you need to update a program on your computer. It doesn't know about every program available, but it will detect most of the programs you use.


  4. marco · 1172 days ago

    iMovie from Apple: 1.3GB upgrade for "retina display support and extra languages support". Of course I won't upgrade!

    • Edaklen · 1172 days ago

      Of course I wont update iMovie with a whopping painful 1.3GB on my early 2011 macbookpro

  5. Bob · 1172 days ago

    I think it's worth mentioning that Secunia PSI 3.0 does a better job of updating software than Secunia PSI 2.0.

    And that Windows boxes start out with "Windows Update" and need to be switched manually to "Microsoft Update," which includes products like MS Office.

    And that it makes sense to check manually for windows updates even if automatic updates are turned on. (Click "Check for Updates" and wait for the system to check for updates.) Do this once a month, after patch Tuesday (the second Tuesday).

    Recognize, also, that it's a pain but that getting infected is a far worse pain. In terms of time, money, and what you have to do with your short, short time on this earth.

    • Guest · 1167 days ago

      Microsoft is to blame for majority of computer users who are afraid to update.
      M$ will include a bunch of useless crap in their updates which the user don't have the power to choose what software to include or exclude.
      The following are some "feature" which I don't need but was forced to update:

      > Windows Genuine Advantage
      (a malware like feature which can't be disabled easily, true I have a pirated windows copy, and that's because the Genuine license sticker beside my OEM's Acer Desktop is not correct and the pre-installed windows partition (recovery partition) WILL NOT INSTALL using the numbers printed in my Certificate of Authenticity sticker.

      > Silverlight
      This is redundant with my Adobe Flash and also redundant with the newer HTML5

      > IE 7-8-9-10
      I am using a different browser, so no need to push these update to me.

  6. Guest · 1172 days ago

    and that IS a good reason to avoid upgrades. By Law - Software Updates should have to give details about what features are being updated and what the actual result will be to the user, and there should also be a choice available to accept fixes of actual errors in the software but to bypass fancy new bells and whistles that "bloat the software" but are not really needed by most users.

    [Post edited for length.]

  7. Internaut · 1172 days ago

    There are too many smarmy companies that want to update their software and drop all kinds of junk on unsuspecting users. For most people, they don't have a idea what they should do with "Custom installation" so opt for the "Express" method where they end up with yet another toolbar, and some with 3rd party company's junkware by installing their free icons, smilies, wallpapers, and some, embedding false positives and so on - which leaves many open holes.

    I would never recommend to my clients to use any Registry Cleaner, or Driver Manager, let alone an update manager. I tell them that "...these programs are not your friends."

    While some will swear by these 'tools', I've also had the opportunity to clean and repair systems because many are not intuitive at all and end up messing up hardware, and/or software. Humans are intuitive and can research major upgrades and it's effects on some systems.

    We still run XP, Vista, and Windoze 7. No one upgrades any software without permission, and it is rare that it is ever granted.

    Upgrades are done through expert maintenance processes and in some cases, upgrades are not done because of the effects.

    Sometimes, better is not best.

    For the home user, Caveat emptor.


  8. Paul Ducklin · 1172 days ago

    To those who talk about declining updates "because the app takes liberties when I do"...

    ...why not get rid of said app and choose an alternative which doesn't :-)

    (Often more easily said that done. But sometimes it's a bullet worth biting.)

  9. Terry · 1171 days ago

    I recently had to go online to fix some Windows Explorer issues when a bunch of updates screwed it up. I recently had to downgrade my Opera browser because on my system it really sucked. To many issues. I have a 64bit ver of Win7 and I'm going to try and install the 64bit ver of Opera (currently using 32) and see if that makes any difference.

    I'm in favor of upgrades for security reasons otherwise my philosophy is "if it ain't broke don't fix it". Of course Windows always seem to be broken. :-)

  10. ALWAYS ensure your antivirus program automatically updates.

    Aside from that:

    Having learned the hard way with MS and adobe, I strongly recommend adding any updates directly from the program's support page. If you do option to automatically check for updates, deny installing and go to the program support page to actually confirm and install.

    Re microsoft, first set a new computer restore point, and ROUTINELY go 2-3 times per month to check for and install updates manually. ALWAYS read the description for each update.

    THIS also, is the ONLY time I use "internet explorer" (cuz they make me), as it is very unsecured, loads your computer with cookies, and sets up may other internet vulnerabilities. Firefox, with a few of their "can't-do-without" security add-ons, allows full control of any pages, cookies, flash, scripts, bugs, trackers, redirects, reloads, etc.

    As a home user, researcher, community advocate, and graphic artist, I am a huge fan of open source freeware, and (after reading independent reviews) download and test various programs for useability.

    Any time I manually upgrade, load, or test programs, I do a computer search using the term "upgrade". If present, always open the program and set this to off.

    In summary, with the exception of my antivirus program, I do not allow my computer to EVER connect with the internet in the background, have no automatic sign ins, nor save any passwords.

    Be well,

    And always practice safe computing.


  11. Mark · 1171 days ago

    If companies want users to install the updates, they really need to fix the process. The current system of warning messages and auto-installers that look exactly like the bogus spyware installers is really broken. Most home users are either the "click yes to every question" people and loaded with tons of junk in addition to updated software, or the "click no" users who assume all messages are frauds and don't upgrade anything.

    It is only a very small percentage of people who understand enough and put in the effort required to know when to click no on the bad and yes on the good.

  12. skeptic · 1170 days ago

    Following the principle espoused here,

    > ... if you don't wait until you're nagged, then you won't ever be tricked by
    > fraudulent software which does nag!

    you'll install it all -- legitimate or fraudulent -- at first request. Is that really
    better than just letting yourself get nagged while you think it over calmly
    so as to decide rationally what to do?

  13. roy jones jr · 1168 days ago

    What is bloatware by the definition you all have? Considering you may have a 700GB harddrive, the size of the update file won't matter. Also I find it strange folks are more trusting of opensource software updates than updates from Apple or Microsoft. If you have your own custom workstation going at home thats fine, but the majority of folks using Windows or OS/X need to be updating and not sitting on an update "pondering the cause and effects of this update I may or may not install".

  14. Stanley · 1168 days ago

    I just don't update skype anymore, with every update it just gets worse, im not even joking. And im quite computer savy as well.

  15. mountaincoward · 1115 days ago

    I don't update a lot of things, e.g. my Creative updates for my music player, also Media Player, as I find each successive version is usually less use and/or harder to use. If I'm happy with the way something works, I keep that version as long as I can.

    The only thing I let update automatically is my AV on my laptop. Other security updates I like to supervise and I only ever update any one thing (e.g. Java) at a time. That way, when my laptop won't boot up afterwards, I know what broke it. I also do a snapshot before any updates so that I recover from cock-ups easier.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog