Slashdot Mirror
More Than Half of PC Applications Installed Worldwide Are Out-of-Date (helpnetsecurity.com)
Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report: The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated data from 163 million devices across the globe, also found that Windows 10 is now installed on 40% of all PCs globally, which is fast approaching the 43% share held by Windows 7. However, 15% of all Windows 7 users and 9% of all Windows 10 users worldwide are running older and no longer supported versions of their product, for example, the Windows 7 Release to Manufacturing version from 2009 or the Windows 10 Spring Creators Update from early 2017.
Half the time the upgrade doesn't add any value for the user, so why upgrade? VLC is a great example, it pretty much just works and the updates only add support for very obscure stuff that most users don't care about.
The real problem is that security fixes are not well communicated, and that sometimes abused as a way to get users to take user-hostile changes.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
As far as I know (feel free to correct my ignorance) Adobe Shockwave is for online games which I don't bother with, I only use VLC for DVDs since Windows refuses a proper media player and I don't use Skype. If these programs are running in a vulnerable manner (excluding VLC, which is not set to auto run), seems like Windows is more responsible since I never asked for them to run...
Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report:
The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%).
There are a lot of applications that the newer versions are considerably worse. It's funny that they mention Skype. It worked much better and was more intuitive 10 years ago in comparison to what is currently available.
I'm surprised that Shockwave is on the list. I didn't know that it was still in use.
Software now adays seems to want to update every 6 hours.
This is not surprising and prolly the reason for stuff like this.
People should make stuff that doesn't require that many updates.
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
That's way too recent to be unsupported.
-enabled more ads
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
There was a time stable software was a standard, not a luxury. Now, the definition of stable is whatever the software maker decides at that point in time. This doesn't make sense. The user is the one with his requirements in mind. That's what makes people buy some piece of software and expect a life-long license. That's also why cloud apps are cheaper and have a time-frame. The real problem comes when the two worlds mix: you buy a piece of software that is offline only but is a time bomb, with expiring license and basically stopping because the local clock got past a point or the remote clock from the authentication server did. Or the opposite, when you purchase an Office 365 cloud license but have access to a download of the offline suite which will only work for as long as your remote account hasn't expired.
aint broke dont fix it
Compression tools.
I'm not kidding here. Most of the things listed in the report usually come with auto-update features that you have to deliberately disable or cancel. Compression tools like WinRar or 7zip get installed once and never get touched again. Ever. Unfortunately, due to the nature of what they do, they can very easily be exploited to run arbitrary malware code if the decompression algorithm is poorly implemented.
Keep your compression tools updated!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Like it not, XP is not going away soon. It is too useful for many purposes and still has over 10% market share in China. If software arbitrarily drops support for XP then older versions will stay in use. There is still significant amount of users on Chrome 49 and Firefox 52 since they support XP. Just because Microsoft dosen't support it dosen't have to mean that open source software needs to. XP forever!
I run Office 2003 on all my home machines, first because it's good enough. And because I have a valid multi user license. And because Microsoft somehow gave it compatibility updates. And, lastly, because LibreOffice would be my replacement.
Flash and Shockwave I avoid, so those usually are disabled or uninstalled. Problems solved.
And my Surface Pro 3 is in the Windows Insider Program, so I get a lot of updates, back up my data obsessively, and have updates scheduled. So far so good.
Truly, word processing hasn't advanced much since Word 6.0 and Quark, unless you hang on features like formatting preview and dynamic content, and since paper is out of favor, these now make sense. In the day of printing, there were a lot of features not useful to production environments.
But hey,. I missed Minesweeper so much I went and found it.
deleting the extra space after periods so i can stay relevant, yeah.
Turn off Windows data collection which is meant to have been a opt in. Remove the spyware anti malware programs and purchase a two-way firewall. These anti-malware programs antivirus programs are so nosy that they are worse than the malware itself. Use the Emsisoft Emergency kit once every six months if you enjoy browsing the World Wide Web. Most software updates are not updates at all they are add-ons, and there will always be more add-ons because they are selling a product.
Because coders can't stop coding. Quit adding shit for the sake of adding it. You're done, stop, move on to another project. At some point your project has evolved to a pinnacle and anything you do from there on detracts from it.
Only the State obtains its revenue by coercion. - Murray Rothbard
Purposefully using an older 7.40 version of Skype while I can, because the newest version is a bloated, buggy piece of crap.
That's one of the reasons I prefer Linux. Most major distributions have some kind of package manager that takes the burden of checking every application for updates from me. Just one command/click and every program is updated to the latest version. It can't get much easier than that. And if you are lazy and don't care you can let your distro even do the updates silently in the background.
I saw the /. article on the release of VLC 3.0.6 So I loaded vlc on my computer (windows 10, 64 bit, vlc version 3.0.4)
vlc is set to check for updates on startup.. It didn't say there was a new version.
I manually checked the version, still 3.0.4. I manually told vlc to check for a new version. It told me repeatedly that I had the latest version.
I manually downloaded and installed 3.0.6
So I suspect their auto update system is broken.
As others have mentioned a lot of newer versions of apps remove features or rearrange the UI just to seem fresh but that's annoying to the user.
Besides that, on Windows a lot of apps seem to install a companion app just to check for updates, a lot of the time this gets disabled because it adds clutter to the taskbar and adds to startup time, not to mention triggering annoying popups if it can't reach the internet or if they need you to agree to new terms.
During Windows installers people see a checkbox for that and disable it automatically because they're usually trying to shoehorn some adware or promotional app, or take over file associations or sign you up for something you don't want. So people just disable these.
I moved away from Windows because of these hassles and now I have a central updating service for everything on my system. I understand Windows Store can do this, but not all apps are on the Windows Store because of certain restrictions and other criteria that leaves out the app you may want, or because the third party has their own storefront service/launcher they want you to use, and some people want to avoid it altogether because of the experience.
It seems like a hassle to deal with all of this when you just want to accomplish things in a straightforward way, especially if you are an end user who gets anxious when they are presented with a dialog box with options like many non-techies who will just see that and immediately call the local nerd.
Twinstiq, game news
Is there a "use before" data on digital patterns?
"Man I love this app. The way it handles and does everything I want. The way everything hangs together in a logical..."
"WTF? Why did they completely change the UI?"
As a Windows user, OS and app updates are a PITA. Popular Linux distros are much better in this regard.
If it was just 1 or 2 programs that need regular updating, for whatever reason, people would be more inclined to do them. The problem is that there are so many programs that need regular updating, people just can't be bothered.
If more programs allowed you to enable automatic updating in the background like the way Chrome does (that is, seamlessly in the background) I think more people would enable that method. I know I would. And if you don't like it, just don't enable it. There are a lot pf apps I'd be fine with background auto-update.
"If you like your feature you can keep it"
I think in the consumer software space there is very real conflict between security updates and functional requirements.
Uses chose software because it did something they wanted to do. The home computer is not purely entertainment for a lot people. Many of them actually do care that they can create the weekly mailer, exchange very documents with people in their only hobby group - which could range from pictures to CAD drawings and 3d printing instructions.
The trouble is these days installing that update could do any number of things. Maybe a feature you used is out right dropped or is only available in the paid "pro" version now; requires an active internet connection when it did not before etc etc. Maybe is just works and looks different and learning some new work flow or rebuilding all your scripts and macros just isn't something you want to do this month. If the changes don't work for you to bad; no security fixes then. Also if you only have one system and don't know other people doing exactly what you are doing often its a mystery as to what version next will bring. Again if its a process that is critical to you, can your risk updating?
At least before critical system components like Windows itself could be pretty well depended on not push major user visible changes or changes likely to break other applications and API functions in updates. Increasingly this too is changing and its no surprise people respond by not updating.
What does MS do in response make it more and more difficult to turn off auto updates; yes I suppose it keeps people on the update train a little longer but it does nothing to build confidence. Increasingly it drives the to other platforms which they will then not install updates on with our without justification.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Adobe don't seem to understand this. I've been using Lightroom 6 for 3.5 years, and now they've broken one of it's key modules (Adobe apologist blame one of their vendors). I took a look at the latest Lightroom Class CC (v8.1) and I really can't see the benefit: native support for HEIC (I'd already worked around that), a dehaze filter that doesn't seem to do anything I couldn't do with contrast and clarity, autosettings that cause more work because they over compress contrast and pump the colour saturation making photos look like over processed iPhone HDR photos, and all the issues that annoyed me with LR6 still annoy me in the latest version. And the cost... 3.5 years of LR Classic CC is 7x the price of LR6, and increasing, and if you don't want to pay, you lose all editing functionality. What a con.
BTW, you mentioned Office 365. I'm still using Office 2011 on my Mac at home, and I really can't see any benefits over it in the Office 365 at work. Microsoft managed to break moving messages between folders before Christmas for my work G-Suite account. Forced me to switch to Mail.app. Support couldn't offer any rollback options to something that worked for me. I did try to switch to IMAP, but this took four days to download my mail and 3x the SSD space. The latest update this month seems to find Outlook stuck on high CPU, and kernel_task and Window Server getting stuck on high CPU. Useless.
... the updates did not add data collection. One application I am using requires me to install google analytics when I upgrade the application. So I stopped upgrading it. Then there is Windows 10, if I upgrade to Windows 10, I turn my PC into a Microsoft data collection machine. If you want to know a reason why some do not upgrade, ask the software providers who put egregious data collection into their upgrades.
Providers of computing "platforms" will use this as a reason to require all software developers to distribute their work via an app store - and giving the app store provider a cut of the proceeds.
None of these people are your friends. The only person responsible for your security is you.
There's a HUGE difference between "needs update" and "needs MEANINGFUL update".
I don't know of a metric that would measure that, unless perhaps you measured the size of the update vs installed size of the program?
I know this wouldn't be perfect, but I'd guess in general critical updates would be more sizable than trivial "this button doesn't look right when clicked" updates.
-Styopa
...from my cold dead hands!
I have my "work" computer. It has restricted access to programs. So I can't run upgrades on anything on it. That's all managed by IT. So if something is out-of-date, it's because IT hasn't rolled out the upgrade or patch for that software (usually planned and done on a specific weekend).
I have my "home" computer. I'm now middle-aged with a family, and responsibilities. I turn my home computer on rarely, because at the end of the work day, I'm tired and I don't want to mess on a computer anymore. EVERYTHING wants an upgrade whenever I turn my computer on. Windows, every software I use, everything. And it's not just one patch, it's around 10. I dread turning my home computer on because it takes longer to patch and upgrade everything than to actually use the home computer for what I want to use it for. It's ridiculous.
I use my phone for more computing tasks than anything. It just works.
I am in IT Security and I know the risks. I also view all CVE released daily. I know what I am doing. But there is only so much time in the day to manage your own software. If you had a company managing all things installed on your desktops (or laptops) and took away the rights of users to install their own software, then hell yeah I blame them when they have the tools to manage it. But for my home machines? I know Putty, VLC, and libreoffice are out of date. Those are the only three applications I have installed on my laptop outside of the OS and Firefox. Why? I use them infrequently and I don't spend the time to check them every time I login to the machine. I just want it to work.
The final thing actually is windows 10 has made it worse for me. I used to keep my machines running 24x7. Now due to how the updates are deployed, and being unable to kill the reboots, etc. I shut them off so they don't reboot on me at random times. I never know when an update is coming (yes I know about patch Tuesday, but MS releases so many damn out of cycle patches, it is not the only time you get patches). So my machines are not running, thus no software to worry about, limiting risk.
Finally - there is no single update mechanism like many Linux distros. Each one has some crappy software, always running and taking resources, just to update. Why does an update daemon (process) take 56Mb of memory? I used to run an entire OS and its app on that much memory. That is now the updater process for java which always runs? Have a dozen of those crappy things running and your machine crawls.
Not long ago, Steam made me update Civilization V. Not to make it better, not to fix security holes, but to force a new bloated interface so the makers of the Civilization series could show me ads for some Civ 6 DLC. That's all. Fallout 4 still gets updates that are mostly worthless ways of new monetization angles rather than actually improving the game.
Thats just two examples of why I would have never updated that software if it had not been forced on me. I'll update more software when it's proven that patching security holes is more important than bloaty worthless patches.
Most of these postings are bots ;-)
security updates do not normally come through commonly used programs. What you do get from these commonly used programs are updates and in the process of updating they collect information about the use of the program.
Let us take a standard Windows program for example: MAGIX Movie Edit Pro would be used by a Windows user to make videos. MAGIX https://en.wikipedia.org/wiki/... would put itself in Control Panel\All Control Panel Items\Administrative Tools System Configuration to run automatically every time Windows was started up. It would also set to run services C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools Component Services %windir%\system32\comexp.msc
The so-called update will swap information and that information will be about the way you work with that program, and to get you to update these little updates will be to give you a little gift (a special effect ) you can apply to your video.
You have not really received an update you have given a company information about the way you are working with that program and they have given you a sweetie.
Eventually they will have enough information about the users use of that program that the updates will suddenly stop and you will get a pop-up message telling you about the newer version of the product which you can purchase.
That is how updates work on a Windows system. Security updates are a total different story most users will never get a security update for a program that runs on Windows unless a well-known exploit is known about.
So update programs that run on Windows virtually never give you a security update they give you a sweetie in exchange for information.
A Linux desktop update manager will often offer you updates to programs you do not actually have on your system. A Linux desktop system is not a superior system it is a big blob that sits on top of Linux, All Linux desktops collect information the only system that offers you to opt out of data collection when being installed is Debian, programmers want to know how you are using their programs so they can program their programs better to suit the people who are using them.
I can't wait to see what new ads they will blast me with and what plug-ins they will automatically install.
“Common sense is not so common.” — Voltaire
Here is a (partial) list of why people don't upgrade:
- Don't fix what isn't broken. The old version is KNOWN to work, the new one is a GAMBLE. /s Because Microsoft has such a good track of updates not breaking -- oh wait, they don't!
- Hate having to schedule time for updates
- Telemetry bullshit
- New version is not compatible with old version files
- New UI is crap
- Useful features removed
- Cost of new version is prohibitive
- New version holds you hostage -- if you don't pay the rental tax it stops working
- Can't run the old version along side the new version to test what changed
- No ability to "downgrade" to the previous version if you run into issues with the new version
- Installer fucks up
- New installer has malware and/or ads or hijacks the browser.
- No solution for upgrade issues
- No perceived value with a patch that only has security fixes. "They don't effect me."
- Distrust of a patch that was "only" supposed to address security issues -- yet breaks functionality.
- Updates dont respect MY time for when is a good time to update
- New version doesn't work on your older OS -- such as Microsoft's bullshit of not releasing DX12 for Windows 7,
- Forced updates which means downtime.
- Auto updates are broken
- Patch notes don't list WHAT has changed. MS has a shitty habit of this.
When I installed Gimp 2.8 it blew away my working 2.6 versions on OSX. I then had to track down why Export wasn't working AT ALL. Turns out it was a problem with one of the python scripts IIRC. There is no way in hell a normal user would have been able to track down what the cause was.
I also ran into this recently when I upgraded to the latest Inkscape 0.9x.
I did an upgrade but all the menu icons were missing. Had to uninstall and reinstall to fix.
Once I got the new version working I noticed the default units got changed from 90px/inch to 96px/inch. Now whenever I open old files I have to manually verify they didn't get fucked up.
Upgrades aren't cheap -- both from a Time and Money factor.
The old version may have a fixed cost; the new version may nickel and dime you -- worse it holds you hostage. If you stop paying the monthly rental tax it stops working.
Users have learnt to distrust upgrades. They almost never work out-of-the-box. This means wasting even MORE time.
There are only 2 main reasons to update:
- New features
- Security fixes
When the risk:reward ratio is analyzed it isn't always cut and dry.
Is it any wonder people don't trust new versions?
I'm surprised it isn't higher.
I got off the bandwagon when the yearly updates started rolling out.
Every single one broke or changed something in my workflow. That's not a decision I made, that's just something Apple decided to go off and do- because apparently things that don't change enough these days are considered "out and outdated", for some dumb fucking reason.
So I stayed on 10.8.5, running on my trusty Classic Mac Pro from 2010.
I've had to replace two fans and a disk drive in this system so far. It's gotten a bit long in the tooth for internet stuff, so I've got a smaller Lenovo laptop sitting next to my workstation that I use for any website that demands it (incidentally, the only websites that don't seem to work are the ones I hate dealing with anyways- usually because they're loaded to the gills with enough javascript to bring my Lenovo to it's knees regardless). Everything else on the Mac Pro has remained the same. I use an older version of my 3D software (the new versions have nothing I want or need), I'm still on a permanent license for Adobe CS6 (none of that cloud bullshit), my iPhone is still running iOS 7 (all I use it for are phone calls and the occasional Maps thing), etc, etc.
To be honest, life got a lot less stressful when I realized I could just stop worrying about having the latest greatest thing.
Are there applications I'd like to run that I can't?
Sure, there's a few, but they're not requirements for doing my job. My next computer will likely be another dual Xeon system that's a few generations out of date, namely so that it can run Windows 7 instead, and I'll just switch to that- which, compared to Mac OS X 10.8.5 is still a huge update and almost everything new (at least, in a professional sense) is guaranteed to run on that. When that'll happen, I don't really know- it might be well after Windows 7 is EOL, but even then I don't really care because I'll still have my "internet laptop" and the things that I would want to run *today* are guaranteed to run on Windows 7 in the future, whenever I get around to updating.
I've pretty much resigned myself to the fact that I'll never be fully modern again, and I really don't give a shit. Microsoft can fuck off with Windows 10. Apple can fuck off with Mojave and their strange fascination with avoiding industry standards (like OpenGL or CUDA)... not that Apple even manufactures a machine I'd be able to use these days anyways. I am quite literally looking at hardware and software right now and going "What can I run for the next 10 years that will let me keep doing my job?", and I can easily get by with 5-6 year old hardware and a decade old operating system.
Who knows, maybe in the far future WINE/Proton will be stable enough under Linux that I'll switch to that instead, but until that happens, I'm perfectly fine standing waaaaaaaaay back from the bleeding edge, because that's where the only semblance of stability still exists and I need tools I can rely on day in and day out to do my job (unlike my wife's laptop that just blew itself away and installed some new version of Windows 10, taking out her discrete GPU and WLAN which only took me 4 hours of swearing and cursing to reformat and get it all working again).
It almost makes better sense not to use computers these days.
Incidentally, half of application updates take away features, force an unnecessary OS/device updates, restrict user a rearrange the UI for no reason, or even all of the above. Article is probably another navel-gazing exercise akin to financial "experts" claiming "nobody could've seen this coming" in 2008. Idiots.
I generally support regular upgrades, but ultimately, who controls the computer? I believe that is, and must remain, the buyer. The buyer controls the computer.
Thus the buyer may have reasons to not upgrade, whether the vendor agrees or not. If the vendor makes upgrading a priority, they must do one of 2 things:
1). Write prescriptive (maybe even coercive) license agreements. This is the Use Force option;
2). Make upgrading easy, simple, and quick. Hey, how about even making it pleasant? This is the Be Nice option.
My NotePad++ software upgrades. A lot. So does FileZilla. It's enough to be a minor nuisance. But you know what? The upgrades are always fast, always reliable, and never disruptive. They don't dink around with the UI. You get the option to skip the upgrade. It's always the user that is in control.
If you want the user to be making regular updates, that's how to do it.
In other news, half the food in my pantry has passed its "best-by" date. I don't care, though. I'll not be bullied into tossing perfectly good food.
Don't mess with your working computer because that's how you end up with "Ribbons" and "Tablet Interfaces" fucking up your productivity.
A lot of this is because in Windows, every vendor pretty much had to build-their-own auto-updater, if at all.
If a software installs an auto-update agent that runs as a matter of course, they are assholes because they are running when they shouldn't be and many auto-updaters add up.
If a software checks auto-update on startup, it's annoying and disruptive because you are trying to use this app, not get nagged about updating. Additionally this means software is neglected when not run and frequently an update is 'do it later' because you are trying to use the app and don't want to wait/risk.
It's a shame MS never delivered an extensible auto-update framework that applications could register their update sources. MS store is the closest thing, but a good facility would not require Microsoft servers to be involved.
Some have raised the valid point that software changes crap and has inflicted update fatigue on people and that is an issue, but I wager most of the time it's because the 'system update' doesn't have a path for applications to naturally get updated at the same time.
XML is like violence. If it doesn't solve the problem, use more.
On MacOS and iOS it really became a CPU and memory hog and it does not allow for the simplest things anymore.
Images get recompressed, uploads are limited to 300MB and stored in the cloud WFT!
What is a good alternative for video conference with chat and uploads?
Those were also the days of comically bad security vulnerabilities and insanely long times to delivering critical security fixes.
These days, Project Zero gives you a 90 day disclosure window. Stable or not, you are highly incentivized to patch it before it's publicly disclosed.
more then half the apps do so well people dont upgrade , OR dont want too pay to upgrade more...FUCK YOU adobe
I still use Windows 2000 Professional SP4 and a bunch of applications, albeit on Virtualbox in a Linux system. They worked almost two decades ago, and they still work.
Forced me to switch to Mail.app. Support couldn't offer any rollback options to something that worked for me. I did try to switch to IMAP, but this took four days to download my mail and 3x the SSD space.
The trick to IMAP is to have a separate server, then connect to it remotely. This works best on a LAN, but still works as long as you have an internet connection back to your server. My server allows users to read mail with Outlook, Seamonkey, Mutt, etc.
227-3517
Oh look another sleazy company rummaging through millions of computers and collecting shit on all of the software everyone has installed when they don't have to then publically bragging about their exploits after the fact.
When you want to find out what's change, they are always give you something unless like "bug fixes" or "security enhancements" when they are not.
The real problem comes when the two worlds mix: you buy a piece of software that is offline only but is a time bomb, with expiring license and basically stopping because the local clock got past a point or the remote clock from the authentication server did.
ROFLMAO. This is what recently took down a major drug lord. It is absolutely hilarious.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen