Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Than Half of PC Applications Installed Worldwide Are Out-of-Date (helpnetsecurity.com)

Posted by msmash on from the security-woes dept.

Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report: The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%). The report, which uses anonymized and aggregated data from 163 million devices across the globe, also found that Windows 10 is now installed on 40% of all PCs globally, which is fast approaching the 43% share held by Windows 7. However, 15% of all Windows 7 users and 9% of all Windows 10 users worldwide are running older and no longer supported versions of their product, for example, the Windows 7 Release to Manufacturing version from 2009 or the Windows 10 Spring Creators Update from early 2017.

27 of 151 comments (clear)

  1. Because upgrades are often crap by AmiMoJo · · Score: 5, Informative

    Half the time the upgrade doesn't add any value for the user, so why upgrade? VLC is a great example, it pretty much just works and the updates only add support for very obscure stuff that most users don't care about.

    The real problem is that security fixes are not well communicated, and that sometimes abused as a way to get users to take user-hostile changes.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Because upgrades are often crap by Opportunist · · Score: 2

      Umm... VLC isn't exactly the best example of what you shouldn't update due to feature bloat. Quite a few of the updates VLC gets plug security holes. Video formats are public knowledge and quite hard to implement securely, twice so if that wasn't exactly the key demand when developing the formats, and the programs using them.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Because upgrades are often crap by AmiMoJo · · Score: 2

      It would help if updating was easier. I keep meaning to try Chocolatey or another package manager to make the process easier. The effort of downloading and installing/extracting VLC every time they release an update is too great for me to bother.

      If it was just VLC I might, but most apps are as bad. Particularly annoying is when you have non-default install options that the update resets every time.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Because upgrades are often crap by Ol+Olsoc · · Score: 2

      It would help if updating was easier. I keep meaning to try Chocolatey or another package manager to make the process easier. The effort of downloading and installing/extracting VLC every time they release an update is too great for me to bother.

      As well, many updates don't work as well as what they replace.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:Because upgrades are often crap by oogoliegoogolie · · Score: 5, Insightful

      The real problem is that security fixes are not well communicated, and that sometimes abused as a way to get users to take user-hostile changes.

      Exactly! Most updates have replaced detailed release notes with ambiguous comments as such.
      "Fixed various bugs"
      "Fixes some other minor issues"
      "Other improvements and bug fixes"
      "Major improvements under the hood"
      "Improved security measures"
      "Improved wifi setup"

      Words like "improved, improvement,various, some" are ambiguous and/or subjective. Was a feature removed or added? Was functionality changed? When companies say improved, does that mean improved for me or for the company? Every bug-tracking software lets you create a list of the fixed bugs-export it, review it, edit it, then publish it! Usually when companies aren't explaining something it makes me wonder what are they hiding.

      WTF is with all this rapid-release crap? So many products have too many releases now. Don't push an update out just for typos other minor UI designs. Return to semi-annual major updates for everything except for critical security patches and major functionality issues.

    5. Re:Because upgrades are often crap by Solandri · · Score: 3, Insightful

      The real problem is that security fixes are not well communicated, and that sometimes abused as a way to get users to take user-hostile changes.

      Yeah, for open source software the security fixes are usually only available via updating the software. It's like car manufacturers requiring you to get the newest model car (for free in the case of open source) instead of issuing recalls to fix problems.

      Pay software usually issues security updates for older versions for a while, without requiring you update to a new version (that you have to pay for). But they seem to be trying to kill that model off, replacing it with a subscription model which forces everyone onto the same version.

      It would be less of a problem if you could customize software and its installations. Often you only want a limited feature set (e.g. only Word and Excel) but the software insists on installing everything. That's the problem I've had with antivirus software. They all now include all sorts of web monitoring and active file inspection (tries to scan in real-time every file your computer tries to open) which just intolerably slows down the computer or browser. I have to shut those features off, but would rather not install them in the first place. Or things like the infamous ribbon interface in Office. I bet tens if not hundreds of millions of users would've killed for an option to disable it and go back to the previous interface. Instead, your only option is to continue using outdated software.

    6. Re:Because upgrades are often crap by Darinbob · · Score: 2

      I don't upgrade itunes often, because every time I do they radically change the user interface. I only use it to sync podcasts, never to buy music, and it only runs when I ask it to.

      Upgrading rarely does anything useful. Yes, if there's a security hole then upgrading is good. But applications insist on upgrading when there is not need and even when the upgraded version becomes less useful or introduces dubious features. The concept that a new version is automatically more secure is naive.

    7. Re:Because upgrades are often crap by Darinbob · · Score: 2

      Probably the whole continuous integration and dev-ops crap. Developers are being conditioned/trained to rapidly release changes, and use the customer as the tester, rather than stick to a reliable and predictable release schedule. It should be the job of the rest of the company to push back and insist on a reliable release schedule. This lets the company predict and communicate to customers what upcoming features will be, engage and figure out what customers want, and so forth. Letting developers run the show on a sprint schedule is failing.

  2. No kidding by The+Grim+Reefer · · Score: 5, Insightful

    Avast's PC Trends Report 2019 found [PDF] that users are making themselves vulnerable by not implementing security patches and keeping outdated versions of popular applications on their PCs. From a news report:

    The applications where updates are most frequently neglected include Adobe Shockwave (96%), VLC Media Player (94%) and Skype (94%).

    There are a lot of applications that the newer versions are considerably worse. It's funny that they mention Skype. It worked much better and was more intuitive 10 years ago in comparison to what is currently available.

    I'm surprised that Shockwave is on the list. I didn't know that it was still in use.

    1. Re:No kidding by Austerity+Empowers · · Score: 3, Insightful

      This is the best reason why users don't upgrade. The upgrade is trash or breaks something of value. People are going to pick features > security every time.

  3. Way too many by DarkRookie2 · · Score: 5, Interesting

    Software now adays seems to want to update every 6 hours.
    This is not surprising and prolly the reason for stuff like this.
    People should make stuff that doesn't require that many updates.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:Way too many by Malc · · Score: 3, Interesting

      Updates this frequently seems to be an excuse for poorer quality software. Every update fixes problems with the last version and introduces a ton of new issues. The overall average quality of the software stays poor and doesn't incrementally improve. I think I preferred the old way of working where updates were just fixes, and once in a while I got an upgrade that actually felt worthwhile because the impact of all the new features normally out weighed any new issues introduced.

      If I've got something I'm happy with then I can wait; I don't need something new every 30s (or even every two weeks)

    2. Re:Way too many by Darinbob · · Score: 2

      Customer push 1 fixes a bug. Two weeks later customer push 2 fixes the security hole in the earlier push, while also adding a new UI widget. Two weeks later the security patch is tweaked because it wasn't working, and at the same time there is a patch to have tighter integration with the monetization store. Two weeks later a patch is out to fix actually encrypt the monetizing transaction, along with a new dark UI theme. Two weeks later the software now pops up a notification to remind users to not turn off automatic updates.

  4. This is not a problem to most users, it's an perk by cloud.pt · · Score: 4, Insightful

    There was a time stable software was a standard, not a luxury. Now, the definition of stable is whatever the software maker decides at that point in time. This doesn't make sense. The user is the one with his requirements in mind. That's what makes people buy some piece of software and expect a life-long license. That's also why cloud apps are cheaper and have a time-frame. The real problem comes when the two worlds mix: you buy a piece of software that is offline only but is a time bomb, with expiring license and basically stopping because the local clock got past a point or the remote clock from the authentication server did. Or the opposite, when you purchase an Office 365 cloud license but have access to a download of the offline suite which will only work for as long as your remote account hasn't expired.

  5. In my experience, the biggest offenders: by Opportunist · · Score: 2

    Compression tools.

    I'm not kidding here. Most of the things listed in the report usually come with auto-update features that you have to deliberately disable or cancel. Compression tools like WinRar or 7zip get installed once and never get touched again. Ever. Unfortunately, due to the nature of what they do, they can very easily be exploited to run arbitrary malware code if the decompression algorithm is poorly implemented.

    Keep your compression tools updated!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:In my experience, the biggest offenders: by Opportunist · · Score: 2

      You don't download compressed files from the internet? No mods for your favorite game, no file someone sends you on whatsapp? While I'd guess that you probably don't work in HR where opening compressed files is pretty much par for the course every time you're hiring and someone sends you their CV, you don't exchange files with anyone? Where you always, really always, check whether the from-header is actually from your mail partner?

      But you're right, these are usually things that the average Joe Hacker doesn't do. This is something done for more interesting targets that are a bit more security conscious...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Because older versions support Windows XP by xack · · Score: 2

    Like it not, XP is not going away soon. It is too useful for many purposes and still has over 10% market share in China. If software arbitrarily drops support for XP then older versions will stay in use. There is still significant amount of users on Chrome 49 and Firefox 52 since they support XP. Just because Microsoft dosen't support it dosen't have to mean that open source software needs to. XP forever!

  7. Absolutely! by rickb928 · · Score: 2

    I run Office 2003 on all my home machines, first because it's good enough. And because I have a valid multi user license. And because Microsoft somehow gave it compatibility updates. And, lastly, because LibreOffice would be my replacement.

    Flash and Shockwave I avoid, so those usually are disabled or uninstalled. Problems solved.

    And my Surface Pro 3 is in the Windows Insider Program, so I get a lot of updates, back up my data obsessively, and have updates scheduled. So far so good.

    Truly, word processing hasn't advanced much since Word 6.0 and Quark, unless you hang on features like formatting preview and dynamic content, and since paper is out of favor, these now make sense. In the day of printing, there were a lot of features not useful to production environments.

    But hey,. I missed Minesweeper so much I went and found it.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  8. Yeah by ArchieBunker · · Score: 4, Insightful

    Because coders can't stop coding. Quit adding shit for the sake of adding it. You're done, stop, move on to another project. At some point your project has evolved to a pinnacle and anything you do from there on detracts from it.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  9. Skype by MobaHup · · Score: 2

    Purposefully using an older 7.40 version of Skype while I can, because the newest version is a bloated, buggy piece of crap.

  10. Package management to the rescue by Boern1138 · · Score: 2

    That's one of the reasons I prefer Linux. Most major distributions have some kind of package manager that takes the burden of checking every application for updates from me. Just one command/click and every program is updated to the latest version. It can't get much easier than that. And if you are lazy and don't care you can let your distro even do the updates silently in the background.

  11. Makes sense by HalAtWork · · Score: 4, Insightful

    As others have mentioned a lot of newer versions of apps remove features or rearrange the UI just to seem fresh but that's annoying to the user.

    Besides that, on Windows a lot of apps seem to install a companion app just to check for updates, a lot of the time this gets disabled because it adds clutter to the taskbar and adds to startup time, not to mention triggering annoying popups if it can't reach the internet or if they need you to agree to new terms.

    During Windows installers people see a checkbox for that and disable it automatically because they're usually trying to shoehorn some adware or promotional app, or take over file associations or sign you up for something you don't want. So people just disable these.

    I moved away from Windows because of these hassles and now I have a central updating service for everything on my system. I understand Windows Store can do this, but not all apps are on the Windows Store because of certain restrictions and other criteria that leaves out the app you may want, or because the third party has their own storefront service/launcher they want you to use, and some people want to avoid it altogether because of the experience.

    It seems like a hassle to deal with all of this when you just want to accomplish things in a straightforward way, especially if you are an end user who gets anxious when they are presented with a dialog box with options like many non-techies who will just see that and immediately call the local nerd.

    --
    Twinstiq, game news
  12. I like Chrome's approach by ddtmm · · Score: 2

    If it was just 1 or 2 programs that need regular updating, for whatever reason, people would be more inclined to do them. The problem is that there are so many programs that need regular updating, people just can't be bothered.

    If more programs allowed you to enable automatic updating in the background like the way Chrome does (that is, seamlessly in the background) I think more people would enable that method. I know I would. And if you don't like it, just don't enable it. There are a lot pf apps I'd be fine with background auto-update.

  13. If you like that feature you can keep it by DarkOx · · Score: 4, Insightful

    "If you like your feature you can keep it"

    I think in the consumer software space there is very real conflict between security updates and functional requirements.

    Uses chose software because it did something they wanted to do. The home computer is not purely entertainment for a lot people. Many of them actually do care that they can create the weekly mailer, exchange very documents with people in their only hobby group - which could range from pictures to CAD drawings and 3d printing instructions.

    The trouble is these days installing that update could do any number of things. Maybe a feature you used is out right dropped or is only available in the paid "pro" version now; requires an active internet connection when it did not before etc etc. Maybe is just works and looks different and learning some new work flow or rebuilding all your scripts and macros just isn't something you want to do this month. If the changes don't work for you to bad; no security fixes then. Also if you only have one system and don't know other people doing exactly what you are doing often its a mystery as to what version next will bring. Again if its a process that is critical to you, can your risk updating?

    At least before critical system components like Windows itself could be pretty well depended on not push major user visible changes or changes likely to break other applications and API functions in updates. Increasingly this too is changing and its no surprise people respond by not updating.

    What does MS do in response make it more and more difficult to turn off auto updates; yes I suppose it keeps people on the update train a little longer but it does nothing to build confidence. Increasingly it drives the to other platforms which they will then not install updates on with our without justification.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  14. I'd update more if... by QuietLagoon · · Score: 3, Interesting

    ... the updates did not add data collection. One application I am using requires me to install google analytics when I upgrade the application. So I stopped upgrading it. Then there is Windows 10, if I upgrade to Windows 10, I turn my PC into a Microsoft data collection machine. If you want to know a reason why some do not upgrade, ask the software providers who put egregious data collection into their upgrades.

  15. Summary of reasons WHY no updating by UnknownSoldier · · Score: 4, Insightful

    Here is a (partial) list of why people don't upgrade:

    - Don't fix what isn't broken. The old version is KNOWN to work, the new one is a GAMBLE. /s Because Microsoft has such a good track of updates not breaking -- oh wait, they don't!
    - Hate having to schedule time for updates
    - Telemetry bullshit
    - New version is not compatible with old version files
    - New UI is crap
    - Useful features removed
    - Cost of new version is prohibitive
    - New version holds you hostage -- if you don't pay the rental tax it stops working
    - Can't run the old version along side the new version to test what changed
    - No ability to "downgrade" to the previous version if you run into issues with the new version
    - Installer fucks up
    - New installer has malware and/or ads or hijacks the browser.
    - No solution for upgrade issues
    - No perceived value with a patch that only has security fixes. "They don't effect me."
    - Distrust of a patch that was "only" supposed to address security issues -- yet breaks functionality.
    - Updates dont respect MY time for when is a good time to update
    - New version doesn't work on your older OS -- such as Microsoft's bullshit of not releasing DX12 for Windows 7,
    - Forced updates which means downtime.
    - Auto updates are broken
    - Patch notes don't list WHAT has changed. MS has a shitty habit of this.

    When I installed Gimp 2.8 it blew away my working 2.6 versions on OSX. I then had to track down why Export wasn't working AT ALL. Turns out it was a problem with one of the python scripts IIRC. There is no way in hell a normal user would have been able to track down what the cause was.

    I also ran into this recently when I upgraded to the latest Inkscape 0.9x.

    I did an upgrade but all the menu icons were missing. Had to uninstall and reinstall to fix.

    Once I got the new version working I noticed the default units got changed from 90px/inch to 96px/inch. Now whenever I open old files I have to manually verify they didn't get fucked up.

    Upgrades aren't cheap -- both from a Time and Money factor.

    The old version may have a fixed cost; the new version may nickel and dime you -- worse it holds you hostage. If you stop paying the monthly rental tax it stops working.

    Users have learnt to distrust upgrades. They almost never work out-of-the-box. This means wasting even MORE time.

    There are only 2 main reasons to update:

    - New features
    - Security fixes

    When the risk:reward ratio is analyzed it isn't always cut and dry.

    Is it any wonder people don't trust new versions?

  16. Re:This is why. by Farmer+Tim · · Score: 2

    "WTF? Why did they completely change the UI?"

    The Useless Interface works exactly as intended.

    --
    Blank until /. makes another boneheaded UI decision.