Where a bad review really makes for poor security

Releasing unstable software harms cybersecurity for everyone, not just those who install the product.

Most consumers do not take the time to upgrade their devices simply because vendors want them to: there has to be something in it for me.  Apple, on the other hand, has been an exception.  Studies have repeatedly shown that Apple users do regularly upgrade their phones.  Just one month after release, their latest version was installed on 52% of their devices.  By comparison, summing all Android releases from 2015 to present gets you that same number, with the latest releases coming in around 20% of the total.

This becomes a Big Deal when we start talking about vulnerabilities, and zero-day exploits.  If there is a bug in your device and it is running an older version of the code, and you do not update, then that device can be used to attack you or someone else.  This is something that Microsoft learned the hard way in the last decade when it snuck in extra software in a security update, losing trust and confidence and willingness of their users.

In his review, Gordon Kelly has told his Forbes readers not to upgrade to the latest Apple iOS release precisely because it may be too risky, that the release itself was rushed.  When considering release timing, any vendor always has to balance stability and testing against other feature availability and security.  Apple may well have gotten the balance wrong this time.  The review in and of itself harms cybersecurity, not because the reviewer is wrong, but because the result will be that fewer people will have corrected whatever vulnerabilities exist in the release (as of this writing information about what is fixed hasn’t been disclosed).  Moreover, such reviews reinforce a bad behavior- to delay upgrading.  I call it a bad behavior because it puts others at risk.

This isn’t something that can be fixed with a magic wand.  We certainly cannot fault Mr. Kelly for publishing his analysis and recommendations.  If we wait for perfect security, we will never see another feature release.  On the other hand, if things get too rushed, we see such bad reviews.  Perhaps this argues that O/S vendors like Apple and Google should continue to provide security-only releases that overlap their major releases, at least until they are stable, which is what other vendors such as Microsoft and Cisco do.  It costs money and people to support multiple releases, but it might be the right thing to do for the billions of devices that are each and every one a point of attack.