Operating systems and web browsers now auto-update themselves. This lets your OS and browser vendors patch vulnerabilities quickly, but it makes the update vendor a permanently-trusted third party.


In exchange for quick patches, you are now continuously vulnerable to the vendor being compromised, or just making a dumb mistake.

Whoever controls auto-update can deliver a targeted attack on any computer in the update network, at any time.

Even if you’re never explicitly targeted, the whole network is constantly vulnerable to a single mistake by the update vendor.

Throughout history, software vendors have released plenty of updates that their users hate. Or ones that introduce new vulnerabilities, like Apple did with High Sierra.