Slashdot Mirror
More Than Half of PC Applications Installed Worldwide Are Out-of-Date (helpnetsecurity.com)
Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report: The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated data from 163 million devices across the globe, also found that Windows 10 is now installed on 40% of all PCs globally, which is fast approaching the 43% share held by Windows 7. However, 15% of all Windows 7 users and 9% of all Windows 10 users worldwide are running older and no longer supported versions of their product, for example, the Windows 7 Release to Manufacturing version from 2009 or the Windows 10 Spring Creators Update from early 2017.
Half the time the upgrade doesn't add any value for the user, so why upgrade? VLC is a great example, it pretty much just works and the updates only add support for very obscure stuff that most users don't care about.
The real problem is that security fixes are not well communicated, and that sometimes abused as a way to get users to take user-hostile changes.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
As far as I know (feel free to correct my ignorance) Adobe Shockwave is for online games which I don't bother with, I only use VLC for DVDs since Windows refuses a proper media player and I don't use Skype. If these programs are running in a vulnerable manner (excluding VLC, which is not set to auto run), seems like Windows is more responsible since I never asked for them to run...
Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report:
The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%).
There are a lot of applications that the newer versions are considerably worse. It's funny that they mention Skype. It worked much better and was more intuitive 10 years ago in comparison to what is currently available.
I'm surprised that Shockwave is on the list. I didn't know that it was still in use.
Software now adays seems to want to update every 6 hours.
This is not surprising and prolly the reason for stuff like this.
People should make stuff that doesn't require that many updates.
http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
That's way too recent to be unsupported.
-enabled more ads
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
There was a time stable software was a standard, not a luxury. Now, the definition of stable is whatever the software maker decides at that point in time. This doesn't make sense. The user is the one with his requirements in mind. That's what makes people buy some piece of software and expect a life-long license. That's also why cloud apps are cheaper and have a time-frame. The real problem comes when the two worlds mix: you buy a piece of software that is offline only but is a time bomb, with expiring license and basically stopping because the local clock got past a point or the remote clock from the authentication server did. Or the opposite, when you purchase an Office 365 cloud license but have access to a download of the offline suite which will only work for as long as your remote account hasn't expired.
Compression tools.
I'm not kidding here. Most of the things listed in the report usually come with auto-update features that you have to deliberately disable or cancel. Compression tools like WinRar or 7zip get installed once and never get touched again. Ever. Unfortunately, due to the nature of what they do, they can very easily be exploited to run arbitrary malware code if the decompression algorithm is poorly implemented.
Keep your compression tools updated!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Like it not, XP is not going away soon. It is too useful for many purposes and still has over 10% market share in China. If software arbitrarily drops support for XP then older versions will stay in use. There is still significant amount of users on Chrome 49 and Firefox 52 since they support XP. Just because Microsoft dosen't support it dosen't have to mean that open source software needs to. XP forever!
I run Office 2003 on all my home machines, first because it's good enough. And because I have a valid multi user license. And because Microsoft somehow gave it compatibility updates. And, lastly, because LibreOffice would be my replacement.
Flash and Shockwave I avoid, so those usually are disabled or uninstalled. Problems solved.
And my Surface Pro 3 is in the Windows Insider Program, so I get a lot of updates, back up my data obsessively, and have updates scheduled. So far so good.
Truly, word processing hasn't advanced much since Word 6.0 and Quark, unless you hang on features like formatting preview and dynamic content, and since paper is out of favor, these now make sense. In the day of printing, there were a lot of features not useful to production environments.
But hey,. I missed Minesweeper so much I went and found it.
deleting the extra space after periods so i can stay relevant, yeah.
Because coders can't stop coding. Quit adding shit for the sake of adding it. You're done, stop, move on to another project. At some point your project has evolved to a pinnacle and anything you do from there on detracts from it.
Only the State obtains its revenue by coercion. - Murray Rothbard
Purposefully using an older 7.40 version of Skype while I can, because the newest version is a bloated, buggy piece of crap.
That's one of the reasons I prefer Linux. Most major distributions have some kind of package manager that takes the burden of checking every application for updates from me. Just one command/click and every program is updated to the latest version. It can't get much easier than that. And if you are lazy and don't care you can let your distro even do the updates silently in the background.
As others have mentioned a lot of newer versions of apps remove features or rearrange the UI just to seem fresh but that's annoying to the user.
Besides that, on Windows a lot of apps seem to install a companion app just to check for updates, a lot of the time this gets disabled because it adds clutter to the taskbar and adds to startup time, not to mention triggering annoying popups if it can't reach the internet or if they need you to agree to new terms.
During Windows installers people see a checkbox for that and disable it automatically because they're usually trying to shoehorn some adware or promotional app, or take over file associations or sign you up for something you don't want. So people just disable these.
I moved away from Windows because of these hassles and now I have a central updating service for everything on my system. I understand Windows Store can do this, but not all apps are on the Windows Store because of certain restrictions and other criteria that leaves out the app you may want, or because the third party has their own storefront service/launcher they want you to use, and some people want to avoid it altogether because of the experience.
It seems like a hassle to deal with all of this when you just want to accomplish things in a straightforward way, especially if you are an end user who gets anxious when they are presented with a dialog box with options like many non-techies who will just see that and immediately call the local nerd.
Twinstiq, game news
"Man I love this app. The way it handles and does everything I want. The way everything hangs together in a logical..."
"WTF? Why did they completely change the UI?"
If it was just 1 or 2 programs that need regular updating, for whatever reason, people would be more inclined to do them. The problem is that there are so many programs that need regular updating, people just can't be bothered.
If more programs allowed you to enable automatic updating in the background like the way Chrome does (that is, seamlessly in the background) I think more people would enable that method. I know I would. And if you don't like it, just don't enable it. There are a lot pf apps I'd be fine with background auto-update.
Yes.
It's typically "use before a security vulnerability is identified and exploited by malware".
You do not have a moral or legal right to do absolutely anything you want.
"If you like your feature you can keep it"
I think in the consumer software space there is very real conflict between security updates and functional requirements.
Uses chose software because it did something they wanted to do. The home computer is not purely entertainment for a lot people. Many of them actually do care that they can create the weekly mailer, exchange very documents with people in their only hobby group - which could range from pictures to CAD drawings and 3d printing instructions.
The trouble is these days installing that update could do any number of things. Maybe a feature you used is out right dropped or is only available in the paid "pro" version now; requires an active internet connection when it did not before etc etc. Maybe is just works and looks different and learning some new work flow or rebuilding all your scripts and macros just isn't something you want to do this month. If the changes don't work for you to bad; no security fixes then. Also if you only have one system and don't know other people doing exactly what you are doing often its a mystery as to what version next will bring. Again if its a process that is critical to you, can your risk updating?
At least before critical system components like Windows itself could be pretty well depended on not push major user visible changes or changes likely to break other applications and API functions in updates. Increasingly this too is changing and its no surprise people respond by not updating.
What does MS do in response make it more and more difficult to turn off auto updates; yes I suppose it keeps people on the update train a little longer but it does nothing to build confidence. Increasingly it drives the to other platforms which they will then not install updates on with our without justification.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Adobe don't seem to understand this. I've been using Lightroom 6 for 3.5 years, and now they've broken one of it's key modules (Adobe apologist blame one of their vendors). I took a look at the latest Lightroom Class CC (v8.1) and I really can't see the benefit: native support for HEIC (I'd already worked around that), a dehaze filter that doesn't seem to do anything I couldn't do with contrast and clarity, autosettings that cause more work because they over compress contrast and pump the colour saturation making photos look like over processed iPhone HDR photos, and all the issues that annoyed me with LR6 still annoy me in the latest version. And the cost... 3.5 years of LR Classic CC is 7x the price of LR6, and increasing, and if you don't want to pay, you lose all editing functionality. What a con.
BTW, you mentioned Office 365. I'm still using Office 2011 on my Mac at home, and I really can't see any benefits over it in the Office 365 at work. Microsoft managed to break moving messages between folders before Christmas for my work G-Suite account. Forced me to switch to Mail.app. Support couldn't offer any rollback options to something that worked for me. I did try to switch to IMAP, but this took four days to download my mail and 3x the SSD space. The latest update this month seems to find Outlook stuck on high CPU, and kernel_task and Window Server getting stuck on high CPU. Useless.
... the updates did not add data collection. One application I am using requires me to install google analytics when I upgrade the application. So I stopped upgrading it. Then there is Windows 10, if I upgrade to Windows 10, I turn my PC into a Microsoft data collection machine. If you want to know a reason why some do not upgrade, ask the software providers who put egregious data collection into their upgrades.
Don't do maintenance until it is broken too?
If you have a security hole in your app, and you don't update it, you are spinning roulette wheel to see if you get hacked or not.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Increasingly, it's "use before the vendor switches to a subscription model to wring every last dollar out of its customers."
There's a HUGE difference between "needs update" and "needs MEANINGFUL update".
I don't know of a metric that would measure that, unless perhaps you measured the size of the update vs installed size of the program?
I know this wouldn't be perfect, but I'd guess in general critical updates would be more sizable than trivial "this button doesn't look right when clicked" updates.
-Styopa
Oh yes... I'd like to see something similar to Ubuntu's PPA system implemented by Microsoft.
Within Windows, maintain a list of software and URLs (and perhaps licensing identifiers). When a program is installing, it can ask to enable automatic updates, and if approved, it can add a URL to the list. Those URLs would point to an XML file (or JSON, or whatever) describing available versions, along with how to run the installer (preferably in a silent update mode). Windows itself can then periodically search for updates, alert the user with a consistent UI, and update as requested.
I'm assuming the Windows Store was built to do much of that, but having the walled garden approach limits its appeal.
You do not have a moral or legal right to do absolutely anything you want.
>Turn off Windows data collection which is meant to have been a opt in.
I think you meant either "should have been", or "was originally claimed to be" - if it was meant to be, it would have been fixed in one of the last half-dozen major updates.
Also, turning it off only eliminates some of the information it sends back, and updates turn it back on regularly. I would be interested to know if a software firewall would even stop it, or if Windows treats it as privileged communication that can only be stopped by an external firewall.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
I am in IT Security and I know the risks. I also view all CVE released daily. I know what I am doing. But there is only so much time in the day to manage your own software. If you had a company managing all things installed on your desktops (or laptops) and took away the rights of users to install their own software, then hell yeah I blame them when they have the tools to manage it. But for my home machines? I know Putty, VLC, and libreoffice are out of date. Those are the only three applications I have installed on my laptop outside of the OS and Firefox. Why? I use them infrequently and I don't spend the time to check them every time I login to the machine. I just want it to work.
The final thing actually is windows 10 has made it worse for me. I used to keep my machines running 24x7. Now due to how the updates are deployed, and being unable to kill the reboots, etc. I shut them off so they don't reboot on me at random times. I never know when an update is coming (yes I know about patch Tuesday, but MS releases so many damn out of cycle patches, it is not the only time you get patches). So my machines are not running, thus no software to worry about, limiting risk.
Finally - there is no single update mechanism like many Linux distros. Each one has some crappy software, always running and taking resources, just to update. Why does an update daemon (process) take 56Mb of memory? I used to run an entire OS and its app on that much memory. That is now the updater process for java which always runs? Have a dozen of those crappy things running and your machine crawls.
Not long ago, Steam made me update Civilization V. Not to make it better, not to fix security holes, but to force a new bloated interface so the makers of the Civilization series could show me ads for some Civ 6 DLC. That's all. Fallout 4 still gets updates that are mostly worthless ways of new monetization angles rather than actually improving the game.
Thats just two examples of why I would have never updated that software if it had not been forced on me. I'll update more software when it's proven that patching security holes is more important than bloaty worthless patches.
whatever it is, it's broke in some way
I can't wait to see what new ads they will blast me with and what plug-ins they will automatically install.
“Common sense is not so common.” — Voltaire
Here is a (partial) list of why people don't upgrade:
- Don't fix what isn't broken. The old version is KNOWN to work, the new one is a GAMBLE. /s Because Microsoft has such a good track of updates not breaking -- oh wait, they don't!
- Hate having to schedule time for updates
- Telemetry bullshit
- New version is not compatible with old version files
- New UI is crap
- Useful features removed
- Cost of new version is prohibitive
- New version holds you hostage -- if you don't pay the rental tax it stops working
- Can't run the old version along side the new version to test what changed
- No ability to "downgrade" to the previous version if you run into issues with the new version
- Installer fucks up
- New installer has malware and/or ads or hijacks the browser.
- No solution for upgrade issues
- No perceived value with a patch that only has security fixes. "They don't effect me."
- Distrust of a patch that was "only" supposed to address security issues -- yet breaks functionality.
- Updates dont respect MY time for when is a good time to update
- New version doesn't work on your older OS -- such as Microsoft's bullshit of not releasing DX12 for Windows 7,
- Forced updates which means downtime.
- Auto updates are broken
- Patch notes don't list WHAT has changed. MS has a shitty habit of this.
When I installed Gimp 2.8 it blew away my working 2.6 versions on OSX. I then had to track down why Export wasn't working AT ALL. Turns out it was a problem with one of the python scripts IIRC. There is no way in hell a normal user would have been able to track down what the cause was.
I also ran into this recently when I upgraded to the latest Inkscape 0.9x.
I did an upgrade but all the menu icons were missing. Had to uninstall and reinstall to fix.
Once I got the new version working I noticed the default units got changed from 90px/inch to 96px/inch. Now whenever I open old files I have to manually verify they didn't get fucked up.
Upgrades aren't cheap -- both from a Time and Money factor.
The old version may have a fixed cost; the new version may nickel and dime you -- worse it holds you hostage. If you stop paying the monthly rental tax it stops working.
Users have learnt to distrust upgrades. They almost never work out-of-the-box. This means wasting even MORE time.
There are only 2 main reasons to update:
- New features
- Security fixes
When the risk:reward ratio is analyzed it isn't always cut and dry.
Is it any wonder people don't trust new versions?
I'm surprised it isn't higher.
That's all fine and dandy until KB4480970 made our fileserver (and printer scan mappings) shit the bed 2 days ago. Best part of that update was I know for a fact I had updates disabled ON EVERY PC IN OUR SMALL COMPANY. Found unsolicited SMB fucking update installed, and windows update settings locked into "some settings managed by your administrator" bullshit I can't change/disable. Fuck microsoft, fuck their forced upgrades to computers with updates disabled, and fuck any dumbshit IT "pro" who thinks auto-updates are a good idea.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
It almost makes better sense not to use computers these days.
A lot of this is because in Windows, every vendor pretty much had to build-their-own auto-updater, if at all.
If a software installs an auto-update agent that runs as a matter of course, they are assholes because they are running when they shouldn't be and many auto-updaters add up.
If a software checks auto-update on startup, it's annoying and disruptive because you are trying to use this app, not get nagged about updating. Additionally this means software is neglected when not run and frequently an update is 'do it later' because you are trying to use the app and don't want to wait/risk.
It's a shame MS never delivered an extensible auto-update framework that applications could register their update sources. MS store is the closest thing, but a good facility would not require Microsoft servers to be involved.
Some have raised the valid point that software changes crap and has inflicted update fatigue on people and that is an issue, but I wager most of the time it's because the 'system update' doesn't have a path for applications to naturally get updated at the same time.
XML is like violence. If it doesn't solve the problem, use more.
Those were also the days of comically bad security vulnerabilities and insanely long times to delivering critical security fixes.
These days, Project Zero gives you a 90 day disclosure window. Stable or not, you are highly incentivized to patch it before it's publicly disclosed.
Maintenance and security should also be user choice. Not giving that choice isn't much different than what Apple, Ferrari, hell, even John Deere are trying to do. They want monopoly on maintenance because of what they say is "brand appeal" but we all know is flat out profit from stupid margins.
I didn't need a security patch on my good ol' Photoshop (insert any other relevant offline app or even OS). What the hell can go wrong if I'm not using it online or already taking measures myself to prevent problems? Why do I have to be financially bound to these companies' decisions if I already paid for right of ownership, even if just the executable form.
This is a far cry from all these companies to keep being relevant selling you services after their initial goal of selling you products. It's the best marketing ever - it's marketing you don't need, because it is enforced on you.
Agreed that Notepad++ and FileZilla are great examples! Ironically just upgraded both them this month from ancient versions and had zero problems. I do this about once a year and don't have any qualms because they have earned my respect.
Microsoft is completely clueless in respecting the user's time and space.
I can understand MS's position -- old software has bugs. I get that and that old versions are security vulnerabilities when people don't want to update. However, Forced Updates are NOT the correct way to handle this when the NEW software has a different set of bugs, or worse, breaks. That's literally a FU to users.
I 100% agree with you: The buyer should always be in control. Anything else sends the message: "We don't trust you." Uh, why would I, as an user, trust you, the provider, then when you don't trust me!?
Forced me to switch to Mail.app. Support couldn't offer any rollback options to something that worked for me. I did try to switch to IMAP, but this took four days to download my mail and 3x the SSD space.
The trick to IMAP is to have a separate server, then connect to it remotely. This works best on a LAN, but still works as long as you have an internet connection back to your server. My server allows users to read mail with Outlook, Seamonkey, Mutt, etc.
227-3517
When win10 came out, there was a forum for external firewall software that maintained a blocklist for win10 telemetry. I added it manually to my software firewall and it did in fact work.
Until one day, MS updated win10 to the point where it would literally refuse to access the internet with any software until I removed relevant telemetry blocks on the firewall. Literally all internet facing software just stopped having access to the internet until I allowed telemetry through, at which point, it all magically started working again.
So I can vouch for the fact that properly configured software firewall does appear to block win10 telemetry, but MS has some rather nasty tricks if you do it.
Oh look another sleazy company rummaging through millions of computers and collecting shit on all of the software everyone has installed when they don't have to then publically bragging about their exploits after the fact.
The real problem comes when the two worlds mix: you buy a piece of software that is offline only but is a time bomb, with expiring license and basically stopping because the local clock got past a point or the remote clock from the authentication server did.
ROFLMAO. This is what recently took down a major drug lord. It is absolutely hilarious.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen