How to win an evolutionary arms race

Abstract

To keep up with malware writers, software producers in both the commercial and open-source software worlds have adopted various automatic software update mechanisms. Some of these mechanisms distribute updates after requesting a user's permission; others install updates automatically. Although such systems provide some short-term relief, they will likely soon become ineffective, and further, they will also become extremely dangerous once they are inevitably co-opted by attackers. If we want the Internet to remain a viable way to communicate and collaborate, we must adopt another, perhaps radically different, model for securing our computers. To better understand this conclusion, we should first re-examine why developers and users are embracing automated update systems.