95 Of Every 100 Windows PCs Miss Security Updates

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

Hang on-

[Naughty+Bob]

Well shit! this would explain all that stuff about windows and viruses I keep hearing about....

Re:Hang on-

[ideapete]

Yup and 100% on wintel machines coming don't either

Wow this is scary I am going back to the abacus

Sounds like like Lunix, OSX

So the point isn't about Windows... the point is about users.

Re:Sounds like like Lunix, OSX

[Architect_sasyr]

I don't know why this was modded flamebait, maybe because the AC says "Lunix". The point *is* about Lusers, that is the WHOLE point. I for one know that the only reason my Mac users update their software is so that they can have the latest and greatest, the Linux guys in the office don't update their software. This is actually good because I rely on exploits to gain remote control over some of those machines which are *technically* out of my jurisdiction. The windows users all update their software regularly. Why? Because I built a WSUS server and FORCE them to via group policy. Fully 85% of them hadn't done a single update till I forced this out (note: only recently stepped into this role, so not my fault!). I know most of them don't do it at home.

Linux users, OS X users, hell even me and my FreeBSD boxes are just as bad. It's a PEBKAC and has nothing to do with what OS you run.

Re:Sounds like like Lunix, OSX

[Naughty+Bob]

Agreed it's a PEBKAC, pretty much the only predictable thing when designing software it the likelyhood of humans, with all their crazy ways, using it. That's why this story is really about how effectively software producers anticipate, discourage, and otherwise strive to design out situations like the one described. MS may be evil, but it's not the point here for sure. The point it that they don't take a cogent, cohesive view of the whole social engineering side of their business.

Re:Sounds like like Lunix, OSX

[techno-vampire]

...the Linux guys in the office don't update their software.

Considering what you say later, I presume you think this is a Good Thing. If you want them to stay current with updates, use a distro such as Fedora that has a built-in update feature. Of course, using it would require the regular users to have the root password, or have somebody come through to enter it, but the same thing's true about Windows boxen and the Administrator password.

Re:Sounds like like Lunix, OSX

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching. Would it matter in the slightest if everyone patched themselves anyway? Exploits in Windows are a dime a dozen, I just make sure to have a secure connection, avoid IE and block scripts by default, keep my AV and spyware removal tools varied and up to date and completely ignore Windows service patches.

Re:Sounds like like Lunix, OSX

[VGPowerlord]

Mac users don't get annoyed by the bouncing icon?
Ubuntu users don't get annoyed by the yellow box that pops up about system updates?

You'd think that update systems that get on people nerves would actually make them update...

Re:Sounds like like Lunix, OSX

Have you never heard of `sudo`?

Re:Sounds like like Lunix, OSX

[techno-vampire]

The Uptodate program in Fedora runs automatically in X, and prompts for the root password. Sudo, although a good program, wouldn't help here. (Having the program suid to root would work, of course, now that I think of it.)

Re:Sounds like like Lunix, OSX

[Ajehals]

This isn't just about the OS upgrades though, the huge difference between updating a windows box and (for example) a Debian box is that you update *everything* when you update. On top of that you can (as with windows, just go for security updates, use a local mirror (I assume windows does this) and automate updates.) Of course that's a home environment, for corporate environments it is even easier as your local mirror and update system (WSUS equivalent) is also handily your software repository and RIS service.

On a home windows box you may have to configure 5-8 different update systems (sometimes different, or at least separate systems for different packages from the same vendor) *and* make sure they are doing what they are supposed to do, not to mention that some software doesn't even have an automated update facility and needs manual upgrading. In a corporate settings you should be able to apply most updates in an automatic way (Although some probably wont be easily automated) and WUS takes some of the strain for the OS, other Microsoft Software and Drivers etc..)

Strangely even my ISP offers a Debian mirror these days so downloads are blindingly fast (I actually manage to reach the DSL download 'speeds' I am paying for).

Re:Sounds like like Lunix, OSX

[ucblockhead]

The nice thing about debian based distributions is that there's a system that automatically patches nearly all installed applications rather than just the OS itself.

Re:Sounds like like Lunix, OSX

[swimin]

Please look up gtksudo.

Re:Sounds like like Lunix, OSX

[ichigo+2.0]

Most worms/viruses in the wild are based on reverse-engineered security updates, so keeping your computer up to date is a Good Idea. I have no idea how well anti-virus scanners work, but since XP came out I have relied exclusively on security updates, a hardware firewall, avoiding IE and suspicious software without any problems. OTOH the contents of my computer are expendable, so I'd rather wipe everything and reinstall than spend a large portion of my computing resources on real-time anti-virus software. Hell, as long as a virus uses up less resources than an virus scanner I might even let it live, I'd still be ahead.

Re:Sounds like like Lunix, OSX

[1u3hr]

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching.

My PC runs Win2k, my wife has an XP laptop. I've updated both to the last full service packs, but not any of the incremental patches. I hide or delete IE and Outlook, have a router and software firewalls. In 6 years no virus or exploits. And yes, I would know -- in previous discussions people smugly say my PCs must be zombies and I'm just too dumb to notice. If you don't believe me, sorry.

Re:Sounds like like Lunix, OSX

[T-Bone-T]

Funny, I use IE, Outlook, Vista, and try to keep the list of updates as close to 0 as possible and I haven't had a virus in over a year. That one virus I had over a year ago on XP had a strong possibility of being a false positive. My history before that is also basically the same.

Re:Sounds like like Lunix, OSX

[tsa]

My thoughts exactly. I hate virus scanners with a passion. They are responsible for so many lost hours they're really not worth the trouble. Every thursday morning my computer is unusable for about 20 minutes because it has to check it's viruses. That's 40 weeks a year 20 minutes, makes about 13 hours lost time. I cost around 100 euros an hour, so that's 1300 euros down the drain. Nice work, Norton!

Re:Sounds like like Lunix, OSX

[tsa]

And drat, it's "its", not "it's" in '...check its viruses.' I never thought I'd make that mistake. AAaaarrg!

Re:Sounds like like Lunix, OSX

[Jugalator]

... and Windows users don't get annoyed by the reminder that pops up every now and then?

But I'm not sure if it's just about the OS bits. This article talks of third party apps. In Ubuntu, such apps are often covered (unlike in Windows) by the auto-updater too in case they came from the Ubuntu repositories, but not ALL of them, for example if they're not covered by the auto updater and one wouldn't care.

And in this survey, they're including Windows installs with even just ONE unpatched application. No wonder the number is so high.

Re:Sounds like like Lunix, OSX

dumbass faggot.

Re:Sounds like like Lunix, OSX

[MrAngryForNoReason]

Every thursday morning my computer is unusable for about 20 minutes because it has to check it's viruses.

Wouldn't it make more sense to schedule a scan on Thursday afternoon at whatever time you finish work and set it to shutdown the machine on completion?

I have my anti virus program set to run at 5pm every day. If I am working later than 5pm then I either just cancel it safe in the knowledge that it will run the next day or let it run in the background, with a dual core processor I find the performance hit is negligible.

Re:Sounds like like Lunix, OSX

[darthflo]

Whoa. You cost 100 an hour, (apparently) work in IT and still use Norton? Masochist.

Re:Sounds like like Lunix, OSX

[Drooling+Iguana]

You get 12 weeks vacation per year? Lucky bastard. I don't even get 12 days.

Re:Sounds like like Lunix, OSX

[ais523]

Ubuntu's auto-update works like sudo, that is, it asks you for your own password rather than the root password (because there isn't a root password on Ubuntu). You still need to be in the admin group, but that's common practice for home users (unlike in Windows, admin-group users in Ubuntu can't do anything that a normal user could do without a sudo or the graphical equivalent, the right just makes it possible to sudo).

Re:Sounds like like Lunix, OSX

[techno-vampire]

In Fedora, at least, Uptodate works as a daemon and notifies you when there are updates to download, rather like Windows with Automatic Update. how would gtksudo help?

Re:Sounds like like Lunix, OSX

[tsa]

Now that you mention it, that seems indeed a bit much... O well, so it's even more money down the drain!

Re:Sounds like like Lunix, OSX

[tsa]

No I work as a researcher at a University. Our IT staff punishes us with this stupid virus scanner. We can't do anything about the scedule either. Grrrr...

Re:Sounds like like Lunix, OSX

[VGPowerlord]

As I recall, the Windows Update balloon goes away on its own if you ignore it.

Also, the grandparent was talking just about system updates that he forces down to users with WSUS.

Re:Sounds like like Lunix, OSX

[PastaLover]

Jup same here. I just keep it patched, have been running the same win xp install for 5 (almost 6) years now and not one spyware or virus infection. I don't use IE or outlook though, but still. I don't get the post a couple of levels up about using virus scanners. Virus scanners are for corporate stooges and regular joe's, the rest of us should be smart enough not to open those pesky virus mails, or install spyware laden software.

I'm not shocked

[Nero+Nimbus]

This isn't really surprising, given that most people treat computers like just another appliance. Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

Re:I'm not shocked

[scum-e-bag]

Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

Re:I'm not shocked

[JacobO]

I personally get annoyed by the intrusive software that interrupts my work (or play) with something I'm not particularly interested in: software updates. Do it silently and let me get back to Desktop Tower Defense!

Re:I'm not shocked

[Monsuco]

actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

I wonder why all these companies, Adobe, Real, Sun, Apple, these companies want their products up to date, MS wants Windows to be secure and therefor would want all the software on it to be patched why not work out a deal where other software providers can update through MS update along with Office and Windows. I do think it might be against antitrust laws so they might be restricted in that way.

Re:I'm not shocked

[Traxxas]

Come on, I love waiting 3 weeks for a Firefox update.

Re:I'm not shocked

[Nero+Nimbus]

You can't do something like that! It makes too much sense.

Re:I'm not shocked

[snl2587]

...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

...only if you're using the default repositories and not the most current ones. One of the little things about Ubuntu is that only well-tested updates make it to final release, and this takes time. Should certain updates be pushed through almost instantly? Of course they should, and things like the recent Samba Server update (update to the update, really) are.

I know that for my Windows box I'm one of those 95%. I have so much crap on there that I wouldn't be surprised if 95% of the programs were unpatched, ignoring those that actually prompt me to update (which seems to be limited to my office, firewall and antivirus programs).

Re:I'm not shocked

[Jugalator]

so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu. It may be slightly easier in Ubuntu for various reasons, but I'd say it's still quite a challenge to keep 100% of all software used updated at all times for a novice user, even on Linux. The repository-based installs helps a lot, but not all of the software is installed that way, for example.

Is that...

[15Bit]

...just the legit licensed ones they're talking about or *all* Windows PC's?

Re:Is that...

[Qzukk]

Nah, it's the ones where people did the smart thing: they set up automatic updates, they set up a non-privileged user that they use every day... then they never logged back in as Administrator to click "ok" on the service pack 2 license.

Re:Is that...

[VGPowerlord]

I haven't actually tried this, but doesn't the Windows Update Service just throw the notice at whichever user is logged in, since it already runs as a privileged user?

This also doesn't apply to businesses that use a [url=http://technet.microsoft.com/en-us/wsus/default.aspx]WSUS[/url] [url=http://en.wikipedia.org/wiki/Windows_Server_Update_Services]setup[/url].

Re:Is that...

[ashridah]

Those popups actually run as SYSTEM, (which is why you can't get hyperlinks in them, incidentally) so you can still apply updates through them. Means that the updating tool needs to be careful, of course.

ash

Re:Is that...

By default, no; only administrators receive automatic update prompts. This means that things which require acceptance of a licence agreement will never be automatically installed (essentially just service packs and IE7).

This can be changed in group policy. Additionally, WSUS will allow you to force any update through, licence or no.

Re-think

This kind of data ought to prompt serious developers to drastically re-think the current desktop security paradigm. Whether it's Windows, Mac OS or Linux, the premise is that the software will frequently prove insecure or deficient and regular updates are required. We expect users to OK these updates and wait for them to take place.

Obviously 95% of people aren't doing this, so what do we change to fix that? We need to have some combination of the following:

• Less updates
• Less security holes
• Smaller updates
• Less user intervention

Personally I think the ideal solution would be to first lock the desktop down. Nothing listens on any ports, ever, unless the user downloads and installs something new. Strip out relatively unused functionality, because it's not worth the security tradeoff. No more Internet Explorers: the specific people responsible for fuck-ups so disastrous and far-reaching ought to be named, shamed, and unemployed. The same goes for the clown responsible for Ubuntu storing the root password in plain-text during installation, if you're concerned about balance.

I know this is all a pipe-dream, and nothing will ever change. What I secretly wish for is for something on the scale of the Storm Worm, only more malicious and destructive. If somebody gives the public something serious, like a computing 9/11... I don't know... Wipe all their stupid mp3s and photos or something. Really drive it home into the public conciousness. Maybe then they'll understand that the internet is serious business. Also I'm drunk, which if Taco had the slightest clue what he was fucking doing in Perl, would mean an automatic +1 Drunk post score bonus. Fuck you Rob, all this fucking JavaScript has ruined Slashdot for me.

Re:Re-think

[DCTooTall]

Hmmm... Better option to drive it home to the public without causing MASSIVE damages....

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive. Hell... put those C&C servers to good use if needbe and proxy the connections so that it can even be a non-standard port for those ISP's that block port 80 servers.... and to get around NAT routers, and other software firewalls.

Why do I think this would be a better way to shock people into action? Several reasons.
1. People in general have a LOT they may not want getting out for purely embarrassment reasons. Knowing that not taking security of their machine seriously could result in this could do more good than simply forcing them to reload because their programs no longer work, or their system is now "slow".
2. The Politicians and corporate types who like to think that there's nothing wrong with the state of computer security, or that their programs are not gonna get hit because X company says they build secure software, and don't question the claim.....usually have more to hide and therefore and much more likely to step up and realize that something needs to be done to fix the problem and/or force proper accountability on people to patch their bugs. (how many security holes exist and are known, but said companies refuse to acknowlege them UNTIL after they are exploited?)


And My personal favorite reason......3. Think of all the free amature porn we'd suddenly have access too from people who don't think their "private" picture folder will EVER be seen? That alone could be worth the price of admission. lol


Hmmmm.... ya know... Since their seems to always be a Financial reason for people to create and seed virii these days...Said central server could charge a small access fee to gain access to said "web-content". Money is made for the person who implements the idea... and the public still gets their embarressment wake-up call. It's win-win....

Re:Re-think

[ToasterMonkey]

I really think this is one case where user education should be considered more important.

There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, and less understood. There will be a bigger gap between the frequency required for driving under "normal" conditions and "severe".

There are similar conditions with software updates. Sometimes patches should be applied immediatley, sometimes they can be put off longer. One thing is for sure, they will always be necessary, at least in the foreseeable future. In both cases, higher frequency is always better. Wouldn't an optimal solution be that both processes are as cheap, fast, and painless as possible, enabling them to be done very frequently? Imagine if an oil change was as painless as getting your car washed at the gas station is, or just an extra button to press at the pump. Now, given price of oil, that might not be feasible in the absence of some kind of cheap oil recondition/reuse process. Still, it's a better solution than merely lengthening the frequency.

I'd say your "Smaller updates", and "Less user intervention" should be among the highest priorities, along with anything else that can make patching both as trivial and frequent as possible. Not only that, but if user intervention is required at all, the importance of the patches needs to be made clear. Patches fixing remotely exploitable bugs should be made VERY clear, in bright red colors or something, not mixed in casually with other patches like it's no big deal. Part of the problem now is that most users don't know WTF the severity of "Windows Updates" or "Software Updates" is. Neither of those sound very important do they? Maybe somewhere in the details of WU patch installation, the word "security" or "critical" is mentioned (can't remember, staying on the safe side), and Apple's Software Updates sometimes lists "Security Update" items. Those are not enough to convey the importance of applying patches promptly as possible.

Re:Re-think

[secolactico]

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive.

This could actually be more damaging than just deleting the files. Embarrassing would be just one result of exposing all this info. But you can probably get a lot of info from personal pictures to steal an identity or stalk/harass/hurt somebody.

Re:Re-think

[SanityInAnarchy]

Obviously 95% of people aren't doing this, so what do we change to fix that?

Here's what I'd do:

1. Remove the user from the equation (fully automate everything)
2. Not care what happens to anyone who disables #1

Re:Re-think

[DCTooTall]

Sadly I could say that they probably couldn't get anymore than existing social engineering and phishing methods don't already get. It would also potentially help maybe force something to be done about the existing financial and credit system which allows it to be so easy to have someone screw up your credit, yet so hard to fix it.

(And sadly... I know from experience that it's also 100 times easier to get a stolen identity "fixed" in your credit, than it is to fix an error the credit agency made on their own.)

Re:Re-think

[BrianGKUAC]

Sounds like a terrific way to make corporations with really old Excel data migrate to OpenOffice.

Re:Re-think

[SanityInAnarchy]

What does this have to do with OpenOffice?

Over All...

[jellomizer]

I am not to suprised I would think this is constant 95 out of 100 Linux boxes are missing security updates 95 out of 100 Macs are missing security updates.

Re:Over All...

[shadylookin]

I doubt that, quite a few linux boxes are used for servers which most people take special care to keep secure. It also may be a little bias, but I think most linux users are more likely to get updates since installing linux is a conscious choice and they probalby have a little more knowledge than the average Windows

Re:Over All...

[jammo]

If it ain't broke, don't fix it! As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall why ever update it until you want to actually update the stuff it is serving. Most updates seem to slow things down these days. I only need to run a server or 2 on a box, maybe KDE or whatever, if the desktop is going to behave and not force me to retreat back to command line as some mime type change I made fancied opening an html file in some crap like kwrite when all I want is vi(m) anyway. I have plenty enough unix knowledge to know that that odd libmcrypt version update out of sync with mhash or whatever means I have to reinstall a server, adding all those tedious --include-something-or-others or whatever again. Can't be doing with change, maybe computers aren't for me, they bitch too much, especially Windows, with it's Are you really sure's and You really don't want to do that, don't make me perpetuate the hourglass symbol crap!

Re:Over All...

[JimCDiver]

Couple hundred sun boxes at work. We still have some running Solaris 5.5. We absolutely do NOT update unless it is required for a business reason... and then it has to all go though Change Management so guaranty its not going to castrate a couple million mail boxes. I think the DST fiasco last year costs us a few hundred man hours.

Re:Over All...

[SanityInAnarchy]

As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall

Or my server could be an updated firewall.

At the very least, you want to keep sshd up-to-date.

Most updates seem to slow things down these days.

Plenty of updates speed things up. See Ruby.

I have plenty enough unix knowledge to know that that odd libmcrypt version update out of sync with mhash or whatever means I have to reinstall a server

Wow, your distro must suck.

Re:Over All...

That's a whole load of hore sh*t.
Most admins and especially Linux guys are lazy.

Most boxes are not up-to-date.

Boxes that are automatically updated are genrally managed badly on some other side.

This is once again one of these "we linux people are smarter, we're the elite" type of nonsense.
That attitude also is keeping a lot of managers from really trusting your judgement and they are right....

Re:Over All...

I doubt it. Windows Update does not update applications, it only updates.. well.. Windows.

          Some Linux distros hassle you to install your updates Windows Update style.. others make you request updates be installed (and probably therefore have a lower percentage of systems up-to-date at any given time). But, importantly, either type of distro will update "the OS" AND any applications installed via the distro's package manager -- which may well be all applications on the system.

          I therefore suspect the percentage of Linux boxes with outstanding security patches is not close to 95%.

People ignore software update alerts

[Freaky+Spook]

When I look at people's computers these days they have heaps of different software popping up asking for updates, its got to a point where people ignore it, because its much too common.

The thing that annoys me most about update alerts is they never give you a reason why the software should be updated. It would be nice if they would give you a link or a summary of simple reasons why you need to actually update their free crapware.

Java and adobe products are probably the worst with this.

Re:People ignore software update alerts

[QuantumG]

Maybe Microsoft needs to supply an API for a single update manager.

Either that, or get a proper package management system.

Re:People ignore software update alerts

[SanityInAnarchy]

See, I generally trust the updates, because I figure that if Adobe didn't screw me over the first time, they're not going to screw me over this time.

So, what I've done is, I leave the update notifications on, in case I forget, but I make a habit of, when I first boot, checking for updates. This means that I get to sit and drink coffee and slowly wake up in the rare case that a reboot is required.

The difference is, on Ubuntu, I push one button for it to update, and then I forget about it for the rest of the day. If I really wanted to, I could script that -- have everything handled by a cron job.

On Windows or OS X, there's probably at least five or ten things which try to auto-update (or at least ask permission), and another five or ten things which don't even try, but which it's generally a good idea to keep up to date. So I still make a habit of checking Windows Update, but there's also a dozen things I don't bother to check (partly because some won't even work; my video drivers are not likely to get any more updates, ever), and there's a dozen things that pop up and cheerfully inform me that I have a few hundred megs worth of, say, Java updates to download.

So yes, Windows needs a proper package manager. A package manager is more than updates, but it would be nice to have just one place to check for updates, or just one thing that nags me to update, and then not have to deal with it for the rest of the day.

Fortunately, with HD-DVD work on hold, I get to run Linux at work.

Re:People ignore software update alerts

It is well that they do, for all, I mean ALL so called updates are really to convert the crapware, whatever it is, to scamware or spyware or some other kind of malware or any version or combination therof. Just one example, SP2 for XP and SP4 for Win2K was spyware on the operating system level.
Hey, the data these so called updates steal and feed through the internet to shadowy database operators must have value and be immensely resellable. Look at Kroger and their 'Kroger-Plus' card. That little piece of crap identifies you and stores all your grocery and other purchases. What use it makes of all this is not volunteered. One use was found out by the Berkely Barb when it reported this company volunteering its 'customer data' to the Homeland Security Department. In any case, Kroger is willing to forego up to fourty percent of the retail price of any given item just to have a customer's data on that item. On the basis of watching what a company does rather than what it says, this speaks volumes. That is why no windows users that have any intelligence 'update' their stuff.
Who wants 'online activation' when they know that three hardware upgrades to their pooter and they are not only refused another, but blacklisted as well; meaning that person's new purchase of another microsoft product will be blackholed as well.

Re:People ignore software update alerts

I know I ignore software update alerts. Most of the time, if it's not a security fix, I don't care. I have a working computer that does what I want. How many Window users really needed the new functionality of the latest WMP with DRM? I don't even use WMP.

Sales FUD

[MeanMF]

They're looking at EVERY piece of software installed on the computer, not the OS itself. They're doing this along with a very generous definition of "security update" to come up with hugely inflated numbers so they can better scare the clueless into buying their services.

Re:Sales FUD

[phantomcircuit]

Except this software is free for non commercial user.

Re:Sales FUD

[hurfy]

I think EVERY is an understatement. The stats come out to over 81 applications on AVERAGE per computer. Huh? Even counting the Acrobat reader which always screams for an update and says it may not be able to open a file just before it does so, i can't imagine what that covers.

Also have to agree with comment below...The security conscious/paranoid are not going to install a 3rd party app that reports their vulnerabilities back to said 3rd party!

duhhhh....

[debatem1]

Anybody who is remotely worried about security is probably not going to download a tool that reports your security status to another organization.

Run Microsoft Update not windows update on windows

[Joe+The+Dragon]

Run Microsoft Update not windows update on windows system to get all of the windows base os + other APIs and runtimes + office updates.

Updates Slow Computer Down

[smist08]

Many people have a bad impression of updates. They know for sure that updates slow down the computer and they know for sure that updates have previously broken things. So you have a choice: 1. Install something that will degrade your computer (possibly making parts of it unusable) or 2. Don't install it and just hope that you don't open a bad email or something, after all practically speaking viruses aren trojans are quite rare.

How much of this is stuff people aren't using?

[DrData99]

With all the pre-installed trials and other crapware the comes with home computers it is likely that many of these unpatched applications are ones that are not really at risk since they are never used. I see this even at work, where we run regular vulnerability scans. You tell a user that they need to update and get told that they haven't used said product in .

Not worth it

[kemushi88]

Except for the occasional windows patch, I don't think most of the patches really offer much benefit for the casual user. Is a tiny reduction in your vulnerability worth the effort/time it would take to run the update software/visit the manufacturer's web site for every piece of software that you own? I think the article would be more powerful if it stated 95 out of every 100 crash/identity theft/virus attack would have been prevented by a patch.

Re:Not worth it

[SanityInAnarchy]

run the update software/visit the manufacturer's web site for every piece of software that you own?

It's not so bad when they update themselves (Adobe, Java, Apple, etc).

But yes, having to visit the manufacturer's website is bad. That's why we have this concept of a "package manager" on Linux, and why we're still so confused that people think it's more complex to install and manage software on Linux than on other systems.

Actually, I lied, there are currently two package managers I have to keep track of: Debian (Ubuntu) Apt and Rubygems.

Still, it means that if I really want to, I can do this:

sudo apt-get update && sudo apt-get dist-upgrade && sudo gem update

That will update everything except the Windows software that I have under Wine... Hell, I could add a couple of svn updates to that line, and it's even keep me up-to-date with everyone else in the office!

May I partially disagree with you, sir?

[Spy+der+Mann]

Agreed, users SHOULD update their software regularly. However, one thing is having the will to update software, and a very different thing is having software with the need to update every 4 weeks!

Some versions of PHP, OpenSSL and Apache are buggy. Granted. However, not all users have a webserver on their machines. The problem is when the software they're running (i.e. Windows) is so crappy and awfully designed that its security has more holes than swiss cheese.

Re:May I partially disagree with you, sir?

[WillAffleckUW]

Some of our dual-boot machines aren't used in the Windows configuration very often.

Why bother dual booting over to Windows just to download security patches when the last time someone ran Windows on that box was in 2006?

Re:May I partially disagree with you, sir?

Some of our dual-boot machines aren't used in the Windows configuration very often.

Why bother dual booting over to Windows just to download security patches when the last time someone ran Windows on that box was in 2006?

Then dual-booting is a really bad option for you.

If you can't be bothered to keep your software secure, you shouldn't have it there.

Re:May I partially disagree with you, sir?

[WillAffleckUW]

It's our software - the insecurities they "fix" are for component software bundles that aren't used by our users. E.g. IE7, calendar software, things that literally are not run.

Besides, we already run them behind firewalls and port blockers. You can't even access most ports without a specific IP address we've unblocked. And even the ones that are non-specific are block ranges only viable for specific user accounts that aren't on those machines.

Here is a great little app for updating a pc

[hairyfeet]

Appget. It is what I use when I need to update a pc someone has brought me in for repair. It will show the occasional false positive, for example, saying version 1.5 is newer than beta 2, but otherwise a quick and handy way to update a pc. One of the best things about it is you can make it better by submitting download links to software that isn't in the database. The more folks that use it the better it gets. And the developers are really nice about emailing replies and fixing bugs when you submit them. So if you need a free tool to quickly find out version numbers and update a pc's software, here you go.

Re:Here is a great little app for updating a pc

[adolf]

I've heard of appget before, so this question might have an answer which is obvious to some, but:

What prevents me (or anyone else) from submitting bogus and/or malicious download links?

Re:Here is a great little app for updating a pc

[hairyfeet]

The developers check out the download links submitted before adding them to appget. If you try out the program and submit a link, you'll see it takes an average of 48 hours for the new link to appear. I have submitted several and it always takes about 48-72 hours for my submissions to get added to the tree. It really is a great little piece of freeware if you you need to quickly find out version numbers and install updates on an unknown pc. I've been using it for over a year now, without a bit of trouble, and no ads or spyware at all. Give it a try and I bet it'll be added to your toolkit cd too.

Appget and Installrite are the two freeware Windows programs I simply can't live without. Appget allows me to quickly find the updates the pc needs, while installrite allows me to make easy to deploy automated install .exe files for the freeware I give to any customer whose pc I work on. If they don't have MS Office installed I give them Openoffice, if they desire multimedia playback I give them klite codec pack, and for pictures I give them Paint.net and the Gimp. And with installrite the installation is simply two clicks and I'm done.

Give either or both a try and you won't be disappointed. And if anyone needs to know the steps to make an automated installkit with installrite feel free to email me, and if enough folks require the steps I'll post them here in my journal.

I should be safe ...

[WoodstockJeff]

... Windows Update tells me that the only update I need is "Windows Genuine Advantage", which I don't want, anyway. No other updates needed, since Microsoft told me that WGA wasn't necessary to get security updates... just "new features".

Yeah, right....

You call them security updates

[WillAffleckUW]

We in dual-boot land call them "driver downgrades".

Just look at the "fixes" in MS Office 2003 in the last SP.

Those removed the ability to open older spreadsheet formats we still have data stored in, so we had to roll them back.

And most of the fixes were already done when we switched to the more secure Firefox as our default browser and got rid of all Outlook instances.

Re:You call them security updates

[ribond]

note that they just offered a fix to allow the older spreadsheet format to work after the update.

You are happier with WSUS than I was

[JimmytheGeek]

We deployed it at my previous job, for 1100 machines. I found it a huge waste of time with large numbers of machines unable to update, or only partially updating. Almost none were completely updated. Status reports were off, reporting missing patches that I KNEW were on the box (installed manually and verified). I'm pretty sure it reported patches on that weren't. So not only could I not rely on it to do the job, I could not rely on it to tell me where it had succeeded and where it had not. I found it marginally better than nothing, not a solid enterprise ready tool.

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.

Re:You are happier with WSUS than I was

[kellyb9]

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready. I doubt any companies products are "enterprise ready", Linux and Mac included.

Re:You are happier with WSUS than I was

[Drooling+Iguana]

All they have to do is add an option to invert the polarity of the tetryon flow and reroute it through the main deflector dish. Then it'll be Enterprise ready.

100 of every 100 Windows PCs miss security updates

[gmuslera]

... at least if they are still running Windows.

A free system level common update system is needed

[Joe+The+Dragon]

MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

Yeah I'm usually a day or two behind myself

[davidwr]

Most auto-update applications have something like this:

Check for updates:

*once a month
*once a week
*once a day
*every time you run it

OK the last item is missing from many applications. I bet most people run "unpatched" applications in the first hours after an update.

Re:Yeah I'm usually a day or two behind myself

Myself, I'm usually a couple weeks or a month or so behind on Windows XP updates. I do NOT let it auto update. Ever.

I am most certainly NOT going to install the latest and greatest Microsoft patches on my system until many others have done so and not suffered ill effects.

MS is partly at fault for this

This isn't entirely the fault of users. One of my major complaints about windows updates is that they so often require a reboot. This is disruptive for any user, it's understandable that people would want to avoid that and "update later" (which is always forgotten). If windows updates were as minimally disruptive as possible (and I know for certain that reboots can be avoided almost always) users would be much, much more likely to allow automatic application of windows updates.

Re:MS is partly at fault for this

[Shados]

Updates that don't require reboot don't force you to reboot... I agree too many of em do, but its been a heck of a long time since I had to reboot because of windows update...

And personally, what I always do, is update, then just say "reboot later"

You get a popup every 4 hours (I wish it could be pushed to more than that, but bleh), and then just turn my computer off at night.

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown". I don't remember if XP did this (maybe, but I didn't notice it until Vista), so you just pospone the update until the next shutdown, no big deal. I used to never reboot my machines, but after a while, and as computers started adding up, it started to hit my electricity bill, and in the summer it just gets too warm and I end up spending even more money on AC, so I stopped that.

Re:MS is partly at fault for this

[Heian-794]

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown".

This should have been implented many years ago. My XP machine at work literally interrupts you every half hour to ask you if you want to restart now. You'd think that after three or four "no, not now" clicks, it would get the message. No one likes to have their work interrupted, and even if I have time to flip over to Slashdot and take a little break, that doesn't mean I have the luxury of closing all my open windows. Adding a third button with "do it when I shut down, and don't remind me again until then" would make security updates a lot more tolerable. Users might actually begin to see their usefulness instead of being annoyed all the time.

Re:MS is partly at fault for this

[toddestan]

One of the nice things about Windows updates in XP is that you can have the system download them automatically, and then it will install them when you shut the computer down. I find it's pretty easy to keep up to date, just tell the computer to shut down at the end of the day and walk away from it. The next morning you'll have an up to date system.

Re:Run Microsoft Update not windows update on wind

[ucblockhead]

That doesn't help much if the exploit targets Firefox or Adobe Reader or Photoshop or iTunes or...

PEBKAC is you

[SanityInAnarchy]

Well, your department, maybe not you personally. I have no idea what the office politics are like there, so I don't know what's actually stopping you from implementing best practices...

There's nothing magical about WSUS.

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leave -- thus allowing you to upgrade the kernel.

So you're right, it has nothing to do with what OSes are being run. But you're wrong to blame the users here -- many of them (rightly) feel that this should not be their job. I get to admin my own machines where I work, so keeping them up-to-date is my job -- and also my responsibility; there's no IT department to blame if something goes wrong. But in an organization which does have an IT department, even if it's a one-man IT department, keeping the system up to date should be IT's job.

Re:PEBKAC is you

[fat_mike]

You're IT department consists of you and you're imaginary friend doesn't it. Eat me.

Have you actually worked with real employees? My guess is no, and they probably would want to kick your ass if you did.

Re:PEBKAC is you

[weicco]

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update.

The difference here, if I understand this correctly, is that in Linux, you have to run through every computer and add cron job by hand. In Windows, when you join corporate domain this all is done automatically. So WSUS/group policy saves user's and admin's time.

Re:PEBKAC is you

[SanityInAnarchy]

The difference here, if I understand this correctly, is that in Linux, you have to run through every computer and add cron job by hand.

Except in Linux, just about any task you can do by hand, you can automate. There are many scripts for deploying configuration to a large number of Linux machines. (Directly -- the lingo is "push", not "pull".) Ruby On Rails seems to like Capistrano, though that's more designed around deploying a Rails app.

But hey, you already control the repository, why not roll your own install disc? I know I could never admin a Windows domain without a custom (nLite'd) install disc, and/or a standard disk image to start from...

Or if you wanted just one place to do it, add that cron job to the base install provided by your repository...

In Windows, when you join corporate domain this all is done automatically.

Wait, so on Linux, all I have to do is add the cron job and change the repository. On Windows, I have to join the corporate domain.

Again, I've never done this on Windows, so I don't really know how long it takes to join the corporate domain, on each computer. On Linux, it would take me maybe five minutes per machine, including boot time.

No matter what solution you adopt to deploy stuff, it's going to take some setup.

Re:PEBKAC is you

[SanityInAnarchy]

You're IT department consists of you and you're imaginary friend doesn't it.

Actually, just me, because, as I said, there is no IT department where I work. Everyone is responsible for their own machine. We can do this because there are five of us, and we're all developers.

Have you actually worked with real employees? My guess is no

Guess again.

and they probably would want to kick your ass if you did.

That depends on whether I get to set the policy.

Well-run corporations will make their IT department the final word on what goes on a computer and what doesn't. Maybe the CEO can come in and demand that something be done, but users don't have that luxury. If they're on Windows, they are on the corporate domain, their auto-updates are enabled and cannot be disabled, and they will update from the internal company WSUS server, which means IT decides when how, and to whom each update is applied.

Re:PEBKAC is you

[weicco]

But hey, you already control the repository, why not roll your own install disc?

That's a good point. I didn't consider that. If there's just a way (some tool or something) to monitor if patches are installed correctly then it should work nicely.

Again, I've never done this on Windows, so I don't really know how long it takes to join the corporate domain, on each computer.

Well, you log in to your computer with domain account and that's it :)

Re:PEBKAC is you

[SanityInAnarchy]

If there's just a way (some tool or something) to monitor if patches are installed correctly then it should work nicely.

Well, there are many tools that do various things... I'm honestly not sure about the best way to make sure each machine got its patches. I do know there are at least a couple of tools which are designed to mass-SSH the same command out to every machine, so you could always run a command on all running computers to ensure that they got the patch.

But I think what's more likely is that you have a logging server somewhere, and you get flagged if a machine either stops logging or failed to install a patch. It seems a lot less likely that they'd miss the patch altogether.

Another possibility is that you simply require machines to be shut down at the end of the day, and run some kind of aggressively caching FS, essentially turning them all into diskless machines. Then, you'd know that if one machine got the patch, all of them did.

I will say this: There's unlikely to be a pre-packaged solution anywhere. At least, if there is, I don't know about it. But with a little shell-scripting glue, there's an absurd number of ways of doing this.

Well, you log in to your computer with domain account and that's it :)

That sounds incredibly insecure.

I'd assumed it was something more like: Install Windows on computer, configure Windows to join your corporate domain, configure the domain controller to recognize that computer. Then it becomes easy.

But unless I'm very much mistaken, there's still some initial step you have to take on each machine beyond just buying a beige box and plugging it in. And there is always going to be, regardless of the OS.

Once it's setup, then you have that simple, central contol.

Re:PEBKAC is you

[Architect_sasyr]

You have to add each Windows computer to the domain initially though, it's not quite the same but still.

To cover a few of the other posts in response (in case anyone's going to read this) I work IT across 8 or so companies, and I'm the third or fourth to come in. The problem is that the other two "IT" guys are still here, one is an ex-programmer and the other is an ex-media-designer. Neither should ever have been a sysadmin, but due to office politics I have to deal with letting them run around doing things on their own. To give you an idea of this I noticed a couple of printers in one area recently all running entirely off the DHCP-failed range (169. all the rest which has escaped me).

Also, I'm not blaming my users any more than I blame myself. The only reason those Linux boxes get updated is BECAUSE I get in their to fix them up, it is one thing to say 'keep your own systems up to date' but these monkeys are on my network, and go out my gateway, so if I don't keep on top of them I have to deal with spam real-time black hole lists and all the rest. Hope this covers a bit of the issues.

And Adobe update, and Java update, and Software...

[SanityInAnarchy]

And what will update my video drivers?

Oh, whoops -- nvidia doesn't have ANY automatic update.

So yes, Microsoft Update is a start, but until it's just a generic Update feature which all apps can hook into, it's pretty useless for keeping the whole system up-to-date.

So what you're saying is...

[SanityInAnarchy]

Ripping off Sudo was a good start, but they really need to learn some lessons from Linux package managers.

OS X has the same problem, by the way. Linux distros are really the only place you see a system-wide package manager.

Not scientific and potentially biased

[ClosedSource]

The report from Secunia is based on their users' PCs and thus is not statistically valid (has there ever been a statistically valid survey reported on Slashdot?). In addition, they have a vested interest in reporting a high number in order to promote their non-free version.

Pirates?

[__aaqvdr516]

I wonder...of all of these unpatched systems, how many were pirated? That was the big stink when MS briefly turned off updates for non-verified Windows installations. Maybe people are afraid to update their pirated MS Office stuff in fear of being caught?

ObligFilmRef

[secretwhistle]

Well, I wouldn't say I've been "missing" them.

They don't miss them.

[feepness]

They don't even know they are there...

Actually, flawed software

[NetDanzr]

I run Secunia's PSI, and I noticed a few flaws, which pretty much catch anybody. For example, it lists seven instances of Sun Java JRE on my computer, three instances of Adobe Flash and two instances of Adobe Reader. On top of it, it lists several instances of Macromedia Flash as "End of life" software. Obviously, all of those listed have been upgraded to recent versions, but the older versions either weren't properly removed by the upgrade, or Secunia never updated its database on my computer. Be it as it is, if you run a Windows PC and have Flash or Java installed, your computer will fall under the 95% of insecure computers regardless whether you update or not.

Re:Actually, flawed software

[initdeep]

if you have flash or java installed on Linux or Mac OSX you will also fall into this category.
The security vulnerabilities of a particular program do not always link to the specific operating system used.

There have been many instances of security vulnerabilities in Java, Flash, Firefox, etc which are non-OS specific, so please do not try to make this seem a "Windoze" only problem.

I myself have at least three linux machines which are probably "out-of-date" for at least one item. The real question is, is that item being used by the system and is it accessible to the outside world? Not is it, by itself, a "security problem".

False dichotomy

[BeanThere]

It's about BOTH. Pretending it's only about one or the other is an attempt to purport that the quality of Windows does not even enter into the equation and thus that the quality of all OS's is effectively equivalent. This is obviously false, the crappy quality of Windows most DEFINITELY has a lot to do with it too (and this is why the parent was also rightfully modded flamebait).

Re:A free system level common update system is nee

I agree with your comment, but I don't understand this part:

Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates. I know Windows Update can be run using "Run as..." in Windows 2000 because I just tried it. (3 high-priority updates. Thanks for reminding me.) However, some low-level updates cannot be installed successfully unless the user is logged-in as an Administrator. Is that what you meant?

Click the "Start" button, Shift-right-click the Windows Update icon, select "Run as...". Alternately, start Internet Explorer as Administrator (Shift-right-click) and run Windows Update from the "Tools" menu.

Re:A free system level common update system is nee

[Joe+The+Dragon]

First you should be running Microsoft Update and you need to be admin for it to fully work. They must of changed windows update / Microsoft Update to some what work with runas in the pass you got the admins only page / updates failing to install.

Re:A free system level common update system is nee

Good idea in theory, but oh and then games like Neverwinter nights (or was it knights of the old republic?) can send you an update which causes your game not to load again, since you have to have the CD in the drive, and the "copy protection" (which has been "upgraded") only works on certain brands of CD-ROM drives running at certain speeds. Yeah, like I would trust games publishers not to do that, thinking we are living in the 1980s and all using Commodore 1541 disc drives.

If you buy a game for PS2 or Gamecube at least you know it will run the next time you try to play it (I'm not sure about Wii/PS360 though).

And people like Adobe keep "upgrading" their licenses.

Well Bob...

[Boydacus]

I wouldn't really say I've been missing my updates...

update you fools!

keep your NSA KEY and remote exploits up-to-date!

Be sure and keep your diary on the same partition as your porn so chair thrower can masturbate while reading your adventures in loser land while wearing SUSE lizard pajamas and fondling Silverlight within Runescape.

damned if you do damned if you don't

[davidwr]

Security updates are a damned if you do, damned if you don't situation.

Would you rather have the poison of known-broken code with a known exploit, or the possibly-good-possibly-fatal-poison of the latest patch?

For servers and users who run a predictable workload with a predictable exposure profile, "known code" is frequently the safer option. For users who surf the web randomly using IE with possibly-buggy firewalls and likely-incomplete virus protection, and who could trip over the next "MS just patched this hole" bug the day after Patch Tuesday, keeping updated may be worth the risk.

In either case, back up early and back up often.

Re:A free system level common update system is nee

[initdeep]

So Microsoft should be responsible for all the updates for every POS crapware and trialware and Bonzi Buddy program out there? And they should provide this to free to every person who wants to include their updates in the program? And none of these "altruistic programmers" would EVER try to sneak their potential spyware updates into the program at all would they.
And no one would blame Microsoft if they did provide this and somehow, someone installed spyware on every machine that used to program.

Yeah, that makes perfect sense....

There is no compelling reason to update constantly

[director_mr]

I am an IT person who constantly updates the operating system and software at work. I know another IT person who almost never updates the operating system at his work. He has less stability problems than I have to deal with. So go figure. Perhaps some places have the thought process of if it aint broke they won't fix it.

At home I never update my computer or my software. I have adobe photoshop cs3 and Windows XP service pack 2. I never go to any websites except ones I trust, I only run programs I have purchased, and I only open email attachments that I trust. I've never had an issue. If I ever do, I'll just restore the info I don't want to lose from back up. Although I can't take this approach at work, I guarantee I have saved labor hours at home by taking this approach.

Broken Trust Broken OS

[fox1324]

For me, its about trust. Microsoft has abused its position with respect to updates, and after that (widely discussed) silent, forced update went out a few weeks ago, I'm turned off MS forever. (not that ever DLd them before that).

I'll secure my operating system by keeping it behind a good, configured firewall, not using IE for ANYTHING EVER (EVER!), and not visiting shady sites and opening spam. This is far from "secure", but its a passable system for user who knows about computers and realizes what s/he is clicking on. In addition, these solutions can be applied to any operating system, not just windows. To be fair, my personal laptop is running win2000 tho.. and i use XP SP2 at work, updates are forced by group policy.

Re:So yes, Windows needs a proper package manager.

I'd say I know something similar to package manager for windows...

It's Valve Software's Steam... Ok, nowadays it's predominantly used to distribute games but who says it couldn't provide other kinds of applications? I know it's not perfect - you cannot choose mirrors and it has only god (or some admin at Valve) knows what info it send home, but it's something that does exactly this kind of job - it keeps a list of apps (games) installed on your machine, provides you with info on updates (and related products of course ;) ) and allows you to update the apps you want when you want...

just a thought...

I like Steam, but...

[SanityInAnarchy]

First of all, Steam has no provision for third-party stuff, other than signing a deal with Valve. This makes it about as useless as Microsoft update, or Apple's Software Update.

But there are a number of things I can't do with Steam that I can do with real package managers:

• Dependencies. If this is done at all, it's entirely hidden from the user.
• Reverse dependencies. Uninstall an app, and all its dependencies (which aren't needed by other things) are uninstalled also.
• Hold an app to a version. With Steam, if an app has been updated, you have to install the update in order to launch the app.
• Scriptability. Steam updates when it wants, or you update it through a GUI. I can have automatic updates happen every Friday at 2 AM, except Friday the 13th, if I really wanted to.
• Custom repositories. I can use any decent package manager to update my own software, or I can hook up to some third-party repository... Wouldn't it be cool if free mods like Natural Selection could be updated via Steam? I think so.
• Caching/proxying/WSUS-style.

I could go on... Most of these seem pretty minor, though, aside from the fact that Steam is yet another proprietary auto-update mechanism, and thus only works with Steam games. So now I need Microsoft Update and Adobe Update and Sun Update and Firefox Update and Software Update and Steam Update, too.

So, really not a solution until it actually starts replacing the other auto-update mechanisms.