{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T18:04:22Z","timestamp":1783965862610,"version":"3.55.0"},"reference-count":44,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T00:00:00Z","timestamp":1781049600000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004063","name":"Knut and Alice Wallenberg Foundation","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004063","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001729","name":"Stiftelsen f\u00f6r\u00a0Strategisk Forskning","doi-asserted-by":"publisher","award":["FUS21-0033"],"award-info":[{"award-number":["FUS21-0033"]}],"id":[{"id":"10.13039\/501100001729","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2026,11]]},"DOI":"10.1016\/j.cose.2026.105019","type":"journal-article","created":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T23:59:00Z","timestamp":1781135940000},"page":"105019","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["Understanding security risks in update mechanisms of computing systems"],"prefix":"10.1016","volume":"170","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6781-1420","authenticated-orcid":false,"given":"Ahmad B.","family":"Usman","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1916-3398","authenticated-orcid":false,"given":"Mikael","family":"Asplund","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2026.105019_b1","series-title":"2024 IEEE 48th Annual Computers, Software, and Applications Conference","first-page":"2195","article-title":"ZT-OTA update framework for IoT devices toward zero trust IoT","author":"Aoki","year":"2024"},{"key":"10.1016\/j.cose.2026.105019_b2","doi-asserted-by":"crossref","DOI":"10.1109\/TCAD.2018.2858422","article-title":"ASSURED: Architecture for secure software update of realistic embedded devices","author":"Asokan","year":"2018","journal-title":"IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst."},{"key":"10.1016\/j.cose.2026.105019_b3","series-title":"First USENIX Workshop on Hot Topics in Security (HotSec 06)","article-title":"Secure software updates: Disappointments and new challenges","author":"Bellissimo","year":"2006"},{"key":"10.1016\/j.cose.2026.105019_b4","series-title":"Proceedings of the 19th ACM Asia Conference on Computer and Communications Security","article-title":"Cryptography in the wild: An empirical analysis of vulnerabilities in cryptographic libraries","author":"Blessing","year":"2024"},{"key":"10.1016\/j.cose.2026.105019_b5","series-title":"Theory and Applications of Dependable Computer Systems","first-page":"82","article-title":"CVE based classification of vulnerable IoT systems","author":"Blinowski","year":"2020"},{"key":"10.1016\/j.cose.2026.105019_b6","series-title":"Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations","author":"Boyens","year":"2022"},{"key":"10.1016\/j.cose.2026.105019_b7","series-title":"Foundations and Practice of Security","article-title":"Towards characterizing IoT software update practices","author":"Bradley","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b8","series-title":"NDSS","article-title":"Towards automated dynamic analysis for linux-based embedded firmware","author":"Chen","year":"2016"},{"issue":"2","key":"10.1016\/j.cose.2026.105019_b9","doi-asserted-by":"crossref","first-page":"47","DOI":"10.1109\/MSP.2012.113","article-title":"Protecting your software updates","volume":"11","author":"Coppens","year":"2013","journal-title":"IEEE Secur. Priv."},{"key":"10.1016\/j.cose.2026.105019_b10","series-title":"23rd USENIX Security Symposium (USENIX Security 14)","article-title":"A large-scale analysis of the security of embedded firmwares","author":"Costin","year":"2014"},{"key":"10.1016\/j.cose.2026.105019_b11","series-title":"Common vulnerabilities and exposures (CVE)","author":"CVE Program","year":"2026"},{"key":"10.1016\/j.cose.2026.105019_b12","series-title":"CVE list V5 repository","author":"CVE Project","year":"2026"},{"key":"10.1016\/j.cose.2026.105019_b13","series-title":"CWE top 25 most dangerous software weaknesses","author":"CWE Program","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b14","series-title":"CWE schema documentation","author":"CWE Program","year":"2026"},{"key":"10.1016\/j.cose.2026.105019_b15","series-title":"Common vulnerability scoring system v3.1: Specification document","author":"FIRST","year":"2025"},{"key":"10.1016\/j.cose.2026.105019_b16","series-title":"Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","first-page":"41","article-title":"Differential static analysis for detecting malicious updates to open source packages","author":"Froh","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b17","series-title":"2023 IEEE 8th European Symposium on Security and Privacy","article-title":"Aot - attack on things: A security analysis of IoT firmware updates","author":"Ibrahim","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b18","series-title":"Proceedings of the 5th on Cyber-Physical System Security Workshop","article-title":"Decentralized firmware attestation for in-vehicle networks","author":"Khodari","year":"2019"},{"key":"10.1016\/j.cose.2026.105019_b19","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2022.102952","article-title":"AutoCert: Automated TOCTOU-secure digital certification for IoT with combined authentication and assurance","author":"Khurshid","year":"2023","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105019_b20","article-title":"A call for mandatory input validation and fuzz testing","author":"K\u00f8ien","year":"2023","journal-title":"Wirel. Pers. Commun."},{"key":"10.1016\/j.cose.2026.105019_b21","series-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security","article-title":"A large-scale empirical study of security patches","author":"Li","year":"2017"},{"key":"10.1016\/j.cose.2026.105019_b22","article-title":"Enhancing malware analysis sandboxes with emulated user behavior","author":"Liu","year":"2022","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.105019_b23","series-title":"Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses","article-title":"A comprehensive, automated security analysis of the uptane automotive over-the-air update framework","author":"Lorch","year":"2024"},{"key":"10.1016\/j.cose.2026.105019_b24","series-title":"2021 International Conference on Computer, Internet of Things and Control Engineering","first-page":"138","article-title":"Vulnerability assessment of IoT devices through multi-layer keyword matching","author":"Luo","year":"2021"},{"key":"10.1016\/j.cose.2026.105019_b25","series-title":"Proceedings of the 4th Workshop on CPS & IoT Security and Privacy","article-title":"Rosym: Robust symmetric key based IoT software upgrade over-the-air","author":"Nikbakht Bideh","year":"2022"},{"key":"10.1016\/j.cose.2026.105019_b26","series-title":"Critical Information Infrastructures Security","article-title":"Vulnerability analysis of an electric vehicle charging ecosystem","author":"Plaka","year":"2024"},{"key":"10.1016\/j.cose.2026.105019_b27","series-title":"Proceedings of the 39th Annual Computer Security Applications Conference","first-page":"283","article-title":"Secure and lightweight ECU attestations for resilient over-the-air updates in connected vehicles","author":"Plappert","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b28","series-title":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","article-title":"Inferring software update practices on smart home IoT devices through user agent analysis","author":"Prakash","year":"2022"},{"key":"10.1016\/j.cose.2026.105019_b29","series-title":"2023 IEEE International Conference on Metaverse Computing, Networking and Applications (MetaCom)","article-title":"XVRS: Extended vulnerability risk scoring based on threat intelligence","author":"Seker","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b30","series-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","article-title":"Find my sloths: Automated comparative analysis of how real enterprise computers keep up with the software update races","author":"Setayeshfar","year":"2021"},{"key":"10.1016\/j.cose.2026.105019_b31","series-title":"Proceedings of the 17th Panhellenic Conference on Informatics","article-title":"WIVSS: A new methodology for scoring information systems vulnerabilities","author":"Spanos","year":"2013"},{"key":"10.1016\/j.cose.2026.105019_b32","doi-asserted-by":"crossref","DOI":"10.1109\/MSEC.2020.3044475","article-title":"Time to change the CVSS?","author":"Spring","year":"2021","journal-title":"IEEE Secur. Priv."},{"issue":"3","key":"10.1016\/j.cose.2026.105019_b33","doi-asserted-by":"crossref","DOI":"10.1109\/TSE.2022.3176674","article-title":"Software updates strategies: A quantitative evaluation against advanced persistent threats","author":"Tizio","year":"2023","journal-title":"IEEE Trans. Softw. Eng."},{"key":"10.1016\/j.cose.2026.105019_b34","series-title":"22nd International Symposium on Research in Attacks, Intrusions and Defenses","article-title":"ScaRR: Scalable runtime remote attestation for complex systems","author":"Toffalini","year":"2019"},{"key":"10.1016\/j.cose.2026.105019_b35","series-title":"2017 18th IEEE\/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing","article-title":"Security vulnerability assessment for software version upgrade","author":"Treetippayaruk","year":"2017"},{"key":"10.1016\/j.cose.2026.105019_b36","series-title":"Human Aspects of Information Security and Assurance","first-page":"420","article-title":"On the inconsistency of update-related vulnerabilities","author":"Usman","year":"2026"},{"issue":"2","key":"10.1016\/j.cose.2026.105019_b37","doi-asserted-by":"crossref","first-page":"75","DOI":"10.1007\/s10207-026-01233-1","article-title":"Bridging remote attestation and secure software updates in embedded systems","volume":"25","author":"Usman","year":"2026","journal-title":"Int. J. Inf. Secur."},{"key":"10.1016\/j.cose.2026.105019_b38","series-title":"ICT Systems Security and Privacy Protection","first-page":"97","article-title":"Update at your own risk: Analysis and recommendations for update-related vulnerabilities","author":"Usman","year":"2025"},{"key":"10.1016\/j.cose.2026.105019_b39","series-title":"Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems","article-title":"Remote attestation assurance arguments for trusted execution environments","author":"Usman","year":"2023"},{"key":"10.1016\/j.cose.2026.105019_b40","series-title":"Proceedings of the 13th European Conference on Software Architecture","article-title":"A study of over-the-air (OTA) update systems for CPS and IoT operating systems","author":"Villegas","year":"2019"},{"key":"10.1016\/j.cose.2026.105019_b41","series-title":"2009 International Conference on Software Testing Verification and Validation","article-title":"The effectiveness of automated static analysis tools for fault detection and refactoring prediction","author":"Wedyan","year":"2009"},{"key":"10.1016\/j.cose.2026.105019_b42","series-title":"Proceedings of the 19th International Conference on Availability, Reliability and Security","article-title":"Provably secure communication protocols for remote attestation","author":"Wilson","year":"2024"},{"key":"10.1016\/j.cose.2026.105019_b43","series-title":"33rd USENIX Security Symposium (USENIX Security 24)","article-title":"Your firmware has arrived: A study of firmware update vulnerabilities","author":"Wu","year":"2024"},{"key":"10.1016\/j.cose.2026.105019_b44","series-title":"31st USENIX Security Symposium (USENIX Security 22)","article-title":"OS-aware vulnerability prioritization via differential severity analysis","author":"Wu","year":"2022"}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826001951?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826001951?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T17:12:41Z","timestamp":1783962761000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826001951"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,11]]},"references-count":44,"alternative-id":["S0167404826001951"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.105019","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,11]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Understanding security risks in update mechanisms of computing systems","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.105019","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"105019"}}