Are staggered roll outs of security patches bad?

Excellent question.

Yes, your understanding is correct, as well as your rationale behind it.

Staggering roll outs for new features often makes good sense.

Staggering roll outs for security patches rarely is a good idea. As you pointed out, this gives even more opportunity for the vulnerabilities to be exploited. Perhaps even more importantly, the patches can be quickly reverse engineered to develop exploits in a rapid fashion.

Microsoft often publicly releases their patches on the second Tuesday of the month (and also sometimes on the fourth Tuesday). This has commonly been referred to as "Patch Tuesday". There's a reason we call the next day "Exploit Wednesday".

It's unfortunate that a significant chunk of the Android ecosystem has not learned from this phenomenon.

Updates:
Several knowledgeable people have pointed out potential impact on internet infrastructure, including fears of overloading the entire internet. The volume of internet traffic is monumental; security patches, even extremely large ones, are tiny drops in the bucket. Microsoft releases large patches to hundreds of millions of users on the same day each month, and they have yet to "crash the internet". Netflix, YouTube, and Twitch stream videos to millions of people every day, and even with their combined traffic, they have yet to "crash the internet".

On the other hand, Android patches are predominately (but not exclusively) delivered to wireless users. There are solutions to any potential issues:

  1. Provide users with a choice of when to download the patches. This provides numerous benefits:
    • Does not disrupt the user's workflow
    • Creates traffic staggering due to human interaction and decision variability
    • Allows the user to wait until they are connected to a higher bandwidth system (perhaps at work, their university, at home WiFi)
    • Allows the user, at their own risk, to wait and see if others report problems with the patches
  2. When distributing patches to specific regions known to have limited infrastructure that could be impacted, stagger the patches over the minimal number of days to avoid overloading infrastructure.

In regards to specifically the Google Nexus 6P security updates not being released to all users promptly, that's simply a poor choice by Google that is not in the best interest of their customers. Compared to the massive volume of internet traffic, those patches are minuscule.

On top of that, that device is relatively rare in the Android ecosystem. This further supports the statement that releasing the patches to all customers at once would not harm any internet providers.

Even the entire Google Nexus product line comprises only a tiny part of the Android world. As a product line, however, there could be a little impact on infrastructure in select regions. As such, the following methodology, while combined with the recommendations outlined above, will minimize infrastructure impact while maximizing patch distribution:

  1. Release zero-day exploit patches immediately
  2. Release scheduled updates on different days each month, a different day for each product
  3. If a product has significant market share that could reasonably impact infrastructure in a region, stagger the roll out over the minimal number of days required to avoid infrastructure overload in that region only

Finally, according to your statements, it has been over two weeks since Google initially released those patches for the Google Nexus 6P. That's more than enough time to know if their patches are causing havoc. I have found no documentation from Google recognizing or apologizing for a bad bunch of patches, nor anecdotal evidence of any serious problems.

One could make the argument that staggering patches out over a few days could possibly be reasonable in order to detect flawed patches and to reduce traffic load. But leaving customers unpatched for weeks is unreasonable, unnecessary, and not an effective policy from an information security standpoint.

In conclusion, based on the statements above, and your statement that Google has not rolled out the security patches to your device, my conclusion is that Google, by not delivering security patches to all affected Google Nexus 6P customers, is making a poor decision and is doing a disservice to their customers.


However, for security patches, wouldn't a staggered release make it much easier for blackhat hackers to utilize the now-public vulnerabilities against users whose devices have not yet received the OTA, even though a patch for their device model is already available?

Easier than what?, is the important question. Yes it will be easier for the hacker for a few days while the update is being pushed out. But it will be much harder for the hacker then if then if the update was not sent at all.

A staggered release keeps the network moving, the servers running, and the 1s and 0s flowing while everyone gets their update. If every Android device out there tried to update all at once, you would end up with a massive amount of traffic hitting a tiny resource.

The other option is only doing an update when people "scan" for it. That's horrible too.

So while the staggered approach is not the absolute best, it is the best available in regard to resources.

Keep in mind that in order to take advantage of this window you would need to find a device between the time the patch was released, and when it (the device) got it's update.

Also remember that Android is Open Source. It's far more profitable to write exploits that are still viable, than ones that you know will be in the next release (cause you can see the code).

So, in summery:

  • The fixes are not a secret before the security push starts anyway.
  • It's better than no updates at all
  • It's better than crashing the mobile network or update server.
  • The window of opportunity is such that very few people should be effected, that are not already an active target.

Tags:

Android

Google

Vulnerability

Disclosure

Patching

Related

How could one say that older operating systems are more vulnerable? How can I explain to non-techie friends that "cryptography is good"? Is it possible to improve brute-force guessing of a password with a picture of the keyboard used to enter it? How to specifiy -CAPath using OpenSSL in windows to perform TLS handshake Why are generated access tokens for APIs much longer than passwords? How to tell if a webapp transmits my password in cleartext? Is it acceptable practice to only increment a number when changing a password? Ways to protect phone from hacking through a wifi network when travelling Can we trust the information displayed by the linux utility commands for a vulnerable machine? Discouraging users from copying images off a website? How to store the access token / password reset token in the database? Does correcting misspelled usernames create a security risk?

Recent Posts