Slashdot Mirror
95 Of Every 100 Windows PCs Miss Security Updates
An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."
Well shit! this would explain all that stuff about windows and viruses I keep hearing about....
"Be light, stinging, insolent and melancholy"
So the point isn't about Windows... the point is about users.
This isn't really surprising, given that most people treat computers like just another appliance. Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.
...just the legit licensed ones they're talking about or *all* Windows PC's?
I am not to suprised I would think this is constant 95 out of 100 Linux boxes are missing security updates 95 out of 100 Macs are missing security updates.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
When I look at people's computers these days they have heaps of different software popping up asking for updates, its got to a point where people ignore it, because its much too common.
The thing that annoys me most about update alerts is they never give you a reason why the software should be updated. It would be nice if they would give you a link or a summary of simple reasons why you need to actually update their free crapware.
Java and adobe products are probably the worst with this.
They're looking at EVERY piece of software installed on the computer, not the OS itself. They're doing this along with a very generous definition of "security update" to come up with hugely inflated numbers so they can better scare the clueless into buying their services.
Anybody who is remotely worried about security is probably not going to download a tool that reports your security status to another organization.
Run Microsoft Update not windows update on windows system to get all of the windows base os + other APIs and runtimes + office updates.
Many people have a bad impression of updates. They know for sure that updates slow down the computer and they know for sure that updates have previously broken things. So you have a choice: 1. Install something that will degrade your computer (possibly making parts of it unusable) or 2. Don't install it and just hope that you don't open a bad email or something, after all practically speaking viruses aren trojans are quite rare.
With all the pre-installed trials and other crapware the comes with home computers it is likely that many of these unpatched applications are ones that are not really at risk since they are never used. I see this even at work, where we run regular vulnerability scans. You tell a user that they need to update and get told that they haven't used said product in .
I really think this is one case where user education should be considered more important.
There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, and less understood. There will be a bigger gap between the frequency required for driving under "normal" conditions and "severe".
There are similar conditions with software updates. Sometimes patches should be applied immediatley, sometimes they can be put off longer. One thing is for sure, they will always be necessary, at least in the foreseeable future. In both cases, higher frequency is always better. Wouldn't an optimal solution be that both processes are as cheap, fast, and painless as possible, enabling them to be done very frequently? Imagine if an oil change was as painless as getting your car washed at the gas station is, or just an extra button to press at the pump. Now, given price of oil, that might not be feasible in the absence of some kind of cheap oil recondition/reuse process. Still, it's a better solution than merely lengthening the frequency.
I'd say your "Smaller updates", and "Less user intervention" should be among the highest priorities, along with anything else that can make patching both as trivial and frequent as possible. Not only that, but if user intervention is required at all, the importance of the patches needs to be made clear. Patches fixing remotely exploitable bugs should be made VERY clear, in bright red colors or something, not mixed in casually with other patches like it's no big deal. Part of the problem now is that most users don't know WTF the severity of "Windows Updates" or "Software Updates" is. Neither of those sound very important do they? Maybe somewhere in the details of WU patch installation, the word "security" or "critical" is mentioned (can't remember, staying on the safe side), and Apple's Software Updates sometimes lists "Security Update" items. Those are not enough to convey the importance of applying patches promptly as possible.
Appget. It is what I use when I need to update a pc someone has brought me in for repair. It will show the occasional false positive, for example, saying version 1.5 is newer than beta 2, but otherwise a quick and handy way to update a pc. One of the best things about it is you can make it better by submitting download links to software that isn't in the database. The more folks that use it the better it gets. And the developers are really nice about emailing replies and fixing bugs when you submit them. So if you need a free tool to quickly find out version numbers and update a pc's software, here you go.
ACs don't waste your time replying, your posts are never seen by me.
... Windows Update tells me that the only update I need is "Windows Genuine Advantage", which I don't want, anyway. No other updates needed, since Microsoft told me that WGA wasn't necessary to get security updates... just "new features".
Yeah, right....
We in dual-boot land call them "driver downgrades".
Just look at the "fixes" in MS Office 2003 in the last SP.
Those removed the ability to open older spreadsheet formats we still have data stored in, so we had to roll them back.
And most of the fixes were already done when we switched to the more secure Firefox as our default browser and got rid of all Outlook instances.
-- Tigger warning: This post may contain tiggers! --
We deployed it at my previous job, for 1100 machines. I found it a huge waste of time with large numbers of machines unable to update, or only partially updating. Almost none were completely updated. Status reports were off, reporting missing patches that I KNEW were on the box (installed manually and verified). I'm pretty sure it reported patches on that weren't. So not only could I not rely on it to do the job, I could not rely on it to tell me where it had succeeded and where it had not. I found it marginally better than nothing, not a solid enterprise ready tool.
It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.
MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
This isn't entirely the fault of users. One of my major complaints about windows updates is that they so often require a reboot. This is disruptive for any user, it's understandable that people would want to avoid that and "update later" (which is always forgotten). If windows updates were as minimally disruptive as possible (and I know for certain that reboots can be avoided almost always) users would be much, much more likely to allow automatic application of windows updates.
Well, your department, maybe not you personally. I have no idea what the office politics are like there, so I don't know what's actually stopping you from implementing best practices...
There's nothing magical about WSUS.
I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leave -- thus allowing you to upgrade the kernel.
So you're right, it has nothing to do with what OSes are being run. But you're wrong to blame the users here -- many of them (rightly) feel that this should not be their job. I get to admin my own machines where I work, so keeping them up-to-date is my job -- and also my responsibility; there's no IT department to blame if something goes wrong. But in an organization which does have an IT department, even if it's a one-man IT department, keeping the system up to date should be IT's job.
Don't thank God, thank a doctor!
I wonder...of all of these unpatched systems, how many were pirated? That was the big stink when MS briefly turned off updates for non-verified Windows installations. Maybe people are afraid to update their pirated MS Office stuff in fear of being caught?