Shostack + Friends Blog

 

Patching in 2024

In late 2024, people are being offered a choice of features versus security. The ad for Synology photos displayed after an emergency security update.

This week, Synology released a security patch (for Synology Photos, a default part of some of their products) without telling anyone.

When I went to install it, I learned that the security update comes with mandatory disabling of video conversion for H.264/265*. Now, it’s possible that the bugs that the researchers found led Synology to find that the libraries they were using were a wretched hive of vulnerabilities, and the best fix involves ripping out a library, but that’s not what they’re saying.

What they say is “Media Server will discontinue support for video conversion to reduce unnecessary resource usage since most end devices support a wide range of media formats.” Have a device without such support? Oh well! The issue here is Synology is suddenly ending support for a feature, and making security conditional on accepting that something no longer works.

Way back in 2003, we wrote about how people made rational tradeoffs of integrity versus availability when patches are released. We didn’t take into account tradeoffs when user interfaces change or functionality goes away.

There are security influencers who repeat things like “yo, patch yo stuff already.” And sometimes, those cues to action are important. But sometimes, people are either rational in delaying, or reasonable in their fear that an update will break something. In public health, there’s a “health belief model” that helps us understand why people take preventative action (or don’t). Expectations that it’ll hurt, take time or money are active inhibitors to health. In 2023, I introduced a Cyber Belief Model. We need to move towards a compassionate understanding of why people don’t patch, and towards practices that make it easier.

CISA’s Secure By Design Pledge already calls for measurably increasing the installation of patches. I’m calling on them to enhance the language around end of life products, to say that features can only be turned off before end-of-life in the most extraordinary of circumstances.

To be fair to Synology’s security team, they’re doing a good job at pushing MFA. The second (adaptive) dialog comes up if you say no to the first.

The full add for Synology Photos, which, to be fair, at least maintains a “no thanks” in addition to the “remind me later.”

While I’m commenting, let me capture this excellent example of the principle of most privilege, as exemplified by Plex:

* I think those were the formats, I didn’t screenshot it, and it’t not documented in the release notes.