back to article Patchy Windows patching leaves users insecure

Windows users need to patch their systems an average of every five days to stay ahead of security vulnerabilities, according to a study this week. The numbers come from a company called Secunia which just happens to be developing an all-in-one patching tool to reduce update headaches for consumers. Stats from the two million …

COMMENTS

This topic is closed for new posts.
  1. BigRedS

    I'd presumed this was by design

    It's long been pretty obvious that no-one on a windows box patches everything. Even those who religiously do Windows Updates, and installed Microsoft Update and respond when Java asks for updates and when YouTube tells them that they need to upgrade to Flash10 probably don't update Acrobat Reader or Firefox very often. There's just so many different sources, each needing individual updating that it doesn't happen.

    On the plus side for the industry, we've recently shelled out Lord-knows-how-much for a box to stick in our rack that, amongst other things, can push out pretty much whatever software updates we can give it.

    <standard comment about how *nixy repositories make it easier>

  2. Khaptain Silver badge
    FAIL

    Patching is not the problem.....

    Theres nothing wrong with Patching in itself. It's the need to have to reboot the servers. All they have to come up with a solution whereby patches are installed dynamically......

    And a decent rollback system , just in case.........

  3. Anonymous Coward
    Anonymous Coward

    but

    Does every last stupid update force a system restart?

    That's why you just can't run a reliable Windows server.

    1. Stephen Usher
      Gates Horns

      The reason for Windows Reboots is...

      The biggest problem for Windows patches, which force the dreaded reboot, is the fact that neither NTFS nor FAT can handle renaming currently open files allowing their replacement with newer versions.

      This means that all of those DLLs and kernel driver files and all the parts of Windows necessary for the minute to minute running of the system can't be replaced on the running system. Instead they need to be scheduled to be replaced before they get used at the next reboot.

      If NTFS/Windows were modified to be able to cope with renaming an open file (with the programs which are still using it finding the original version), as it is possible to do on all UNIX derived filesystems, this would mitigate a great many of the pesky reboots. (As would Microsoft creating their consumer patches as bundles, bringing systems up to the current patch level from any previous patchlevel rather than having to iteratively cycle through the patch history, each requiring a reboot.)

  4. amanfromMars 1 Silver badge

    King Canute Capers

    Is Secunia's free Personal Software Inspector, the virtual equivalent of a raging flood sandbag? Something to do in the middle of a crisis to make one feel good about a devastating situation which no one can stop.

    Bravo, Secunia, for it is better than nothing even if it only redirects main flow/major bugs elsewhere.

  5. Anonymous Coward
    FAIL

    Patch to stay ahead lol

    "every five days to stay ahead", you dont patch to stay ahead in security, you patch to stay less behind.

    Remember what came first the patch or the security issues, yes thats right, the security issue.

  6. jake Silver badge

    Or perhaps ...

    Instead of building layer upon layer upon layer upon layer of software on top of an inherently insecure product, thus causing all kinds of other issues (over use of hardware resources (RAM, CPU, disk ...), multiple software incompatibilities, etc.) ... Maybe, just maybe it makes more sense to use a secure by design product ... unless you enjoy spinning your wheels.

    I'm just sayin' ...

  7. Anonymous Coward
    Badgers

    Not for me

    Am I the only person who enjoys the satisfaction of manually patching the XP machine I built in 2001?

    It's no doubt the same feeling my old dad got from cleaning and polishing his Austin Maxi in the driveway on a Sunday morning (until the engine inexplicably caught fire).

  8. Mr_Pitiful
    Thumb Up

    Nice

    I just tried this and it only found 1 problem

    active x adobe flash thingy, patched it and tested again

    The software functions well and has a user interface that is simple to navigate

    Thumbs up if it helps the unwashed masses stay safeish

    1. Anonymous Coward
      Anonymous Coward

      More than once

      this has happened here: patched it, scanned again, it said the product was still unpatched. So I deleted the file it flagged, ran the update again, PSI still claimed the original file was there. This is most often with flash, but sometimes with, say, the Sun Java version. One time it was with an MS Office file. Usually PSI appears fully functional but it is not error-free.

  9. Anonymous Coward
    Linux

    Whats needed is...

    ... some kind of package management tool. Something that installs your software in a unified way and keeps it up to date.

    Where have i seen something like this, i am sure it was recently ....... oh yeah right here on Linux!!!!

    (I like Apt but there are plenty that do a good job!)

    1. Anonymous Coward
      Anonymous Coward

      If you say so.

      I've found the ones in most of the major distros far too easy to break. That's on the increasingly rare occasion the partitioners allowed me to leave all the other volumes on the other drives as I wanted them, and having passed that test, actually succeeded in remembering which drive they'd just installed to so as to be able to boot after a restart, so getting to the point of installing from the repositories.

  10. RJ

    Does that mean I can be extra smug?

    In that all my applications are automatically updated from one location? (When the package distros packge em up of course)

    Another advantage of linux

  11. Stewart 3
    Flame

    FUD Alert!

    So the average user needs 75 weekly patches across 22 vendors? Seems a bit steep to me, so I thought I'd see what's on my, very non-average, machine:

    * MS Office

    * Visual Studio

    * Outlook, etc, etc, all Microsoft - so that's 1 vendor.

    * Firefox - up to 2 now

    * Flash / Acrobat - Adobe - 3, getting closer to the magic 22!

    * Java - Sun / Oracle / Whatever this week's owner's called - 4

    * Tortoise SVN - 5

    * Ankh SVN - 6

    * Skype - 7

    * Winamp - 8

    * 2 FTP clients - 10

    * Total Recorder - 11

    * Any DVD - 12

    * Civilisation IV - 13

    Ok I'm struggling now. I guess I could list every application on my pc, but already some of the above aren't what I call security threat vectors.

    Hang on, my PIC development tools, say another three to be generous - 16.

    We can do this - add in five Firefox addins (although they're already automatically taken care of in Firefox) and we get the magic 22.

    Marketing 101 - if you can't find an existing market to exploit then create one. FUD indeed.

  12. Fay Zee

    Not the whole software industry ...

    Thomas Kristensen, chief security officer at Secunia, explained: "The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs."

    He says "the software industry" but specifically means products that run on Microsoft. This has long been a problem and a headache for users.

    On open source systems, users have been able to get all updates in one action for years, with a choice of automatic and manual. That is to say, all feature and security updates for applications and packages within the particular Linux distribution. Meaning any program the user installed from the quite considerable repository offered by the distro. This could be paid commercial/enterprise offerings such as Red Hat, Ubuntu, SuSE and the like, or Debian and other community editions. Packaging staff and volunteers collect the updates and test and package them so they are available. This of course represents a lot of work. That's not to say an open source user cannot install software not in the repository, but the likelihood is that there would be far fewer of these programs than for a comparable Microsoft user.

    I would expect such a service to have to be profitable, or affect ROI, before anyone would consider offering this in the Microsoft world. One might expect that Microsoft itself, from the profits it makes, would offer such, but there are issues involved that would prevent this happening. Let's see if/how far Secunia can succeed in their offering. There is an article at http://secunia.com/company/blog_news/news/84 which states that the service will be free, offering "security updates for a broad array of applications".

    1. Anonymous Coward
      Anonymous Coward

      Every desktop not running Windows...

      ...doesn't count. Seriously, says I, who only have Linux on my machines these days (Windows is for VMs, checkpoints are Good Things). But Linux desktops aren't a problem because 1) there's not a whole lot of them, 2) they are therefore a bit less coveted by bad guys and 3) they're probably run by people with above-average computer skills who know how to patch. But we don't count, while the teeming millions of Windows users do. My guess is that the latest botnet bust didn't find all that many Linux boxes. I'll happily donate to Secunia if they can persuade someone to patch the bleeding Windows boxes already, they've been a pain in the behind for far too long.

      1. Keith Oldham
        Linux

        "My guess is that the latest botnet bust didn't find all that many Linux boxes.."

        I'd be amazed if there were ANY!

        As for desktop count here it's Linux:6 Windows:0

  13. R Callan
    Thumb Down

    Patch pain

    **"The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs." Secunia**

    Except for Synaptic and Yum and Yast and ???? querying repositories. Could these people not remember that there are solutions to most problems available, even if it involves looking outside the windows.

  14. ysth

    no unified patching solution?

    "The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs."

    *cough* sudo aptitude update && sudo aptitude full-upgrade

  15. John Robson Silver badge

    Software repositories...

    So - like running aptitude, or yum, or emerge, or any of the other various tools that keep linux distros up to date.

    Seems like a good idea to me - they just need to work out a sensible format and get it adopted. Of course they can't take the obvious approach and repackage other peoples patches because no doubt that would make some lawyers rich.

  16. elreg@mailinator.com
    IT Angle

    unified patching solution

    Somebody tell Secunia wizards about distributions. Debian, FreeBSD & al: take your pick. The solution has been there for a while.

  17. David 141
    WTF?

    Windows only

    "The core of this patching issue is that the *Windows* software industry has, so far, failed to

    come up with a unified patching solution that can help home users on a large scale"

    Fixed.

    Any decent *nix distribution has solved this problem already.

  18. Rafael 1
    WTF?

    "75 patches from 22 different vendors"

    PANIC! PANIC NOW! THEN BUY OUR SOFTWARE! OR ELSE!!11!

    So the average user has software from 22 vendors? Let's see what I have on one Windows machine: stuff from Microsoft itself, damn blasted Free AVG, Firefox, Acrobat Reader, Java, Eclipse, what else? Am I missing something? Will I attract more girls if I install more software on this machine? Will I lose that promotion if my boss discover I have software from <10 vendors? Is that what you mean by "leaving the user insecure"?

    Sorry, it's Sunday morning and I'd better go back to bed.

  19. dontstopnow
    Linux

    Preaching to the choir

    "The core of this patching issue is that the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs."

    Hmm, what we need is some sort of package manager, that would be able to update all the software installed on a machine all at once......

  20. Stefan 2

    Fair point

    It may be a bit of marketing hornswaggle from Secunia, but they have a point. I'm far from an average user but patching and updating is damned tedious. It's especially galling when I haven't used a particular VM (or just my regular desktop) for a couple of months. Not only will there be the ruck of MS patches, but I feel duty-bound to check for updates to Notepad++, FileZilla, 7zip, SumatraPDF, ... those are just some of the 'must have' items on my list.

    The only piece of software with a good, robust auto-update is uTorrent. Some of those I listed above may claim auto-update capability, but most fail in some way. Notepad++ consistently fails to detect an updated version available (even when specifically told to go and look for one). Opera is another. It tells me I have the latest version (on my XP Pro VM), where clearly I don't.

    I've not normally minded about spending time to ensure my system is updated (and thus mostly secured) but it's now taking too much time out of my day. If Secunia can work some auto-update magic, I'm sold.

  21. The BigYin
    Linux

    Linux Repos FTW

    This is one area where major Linux distros thrash Windows into oblivion. The "repository" system works very, very well. You can install from the existing repos, add new ones etc. So long as the install is done within the bonds of the prevailing package control system, updates for everything (kernel, apps, whatever) just appear.

    You have one point of truth (the package manager, call it what you will) and within a corporate environment you can simply run your own repo that pushes out whatever whenever it is tested/needed.

    When it comes to updates and remaining secure, I don't Windows users are aware of how far back in the dark ages they are living.

  22. Andy Baird

    Secunia makes me insecure

    Am I the only one who sees this idea as opening a huge security hole? If Secunia got its way and all apps used its patching mechanism, then black-hat hackers would have one-stop shopping: instead of having to crack hundreds of apps, all they'd have to do is crack Secunia's patcher, and they'd have access to EVERYTHING!

    Secunia's "one patcher for everyone" scheme sounds like a monumentally dumb idea to me.

  23. Anonymous Coward
    Anonymous Coward

    Couldn't agree more...

    ...especially as MS have a past record of willfully killing off almost every attempt at unified updating, such as the now-defunct Autoupdate, which - if MS had two brain cells connected - they might have been better-advised to formally adopt.

    Whatever MS's claims, updating any and all their products has always been hugely problematic, not to mention a host of 3rd-party applications - I'm no Linux fanboi, but this surely is at least one reason why Linux is making gains.

  24. Henry Wertz 1 Gold badge

    good idea

    with packages managed by a package manager, as most linux distros have, this is 100% unnecessary.

    good on them though. Microsoft hasn't stepped up so it's good someone is. If it works as advertised i would first advise windows users to ditch windows, but then advise a product like this.

  25. Big-nosed Pengie
    FAIL

    title

    "the software industry has, so far, failed to come up with a unified patching solution that can help home users on a large scale; that is, encompassing all software programs."

    Clearly whoever said that was either purposely lying or has never used Linux (one click, type password, all installed software updated.) Either way, it's just another case of Windows users being fed bullshit either to cover up its massive failure or, more likely, to sell them more "security" lipstick to make the rapidly-ageing and wrinkled porcine look more kissable.

    1. Anonymous Coward
      Anonymous Coward

      it should be noted

      that yum, yast, apt etc are all third party managed patching solutions. They do not guarantee to get you up to date, only up to the version that has been included in the repository. They should be the latest, but that's not always the case.

      And if the app you want isn't in the repository at all, it won't get patched (remember when firefox 3 came out, and all the distros stuck with 2) It's a process controlled by a third party who may, or may not, decide to give you the patches.

      1. Anonymous Coward
        Linux

        Almost but not quite right

        "They do not guarantee to get you up to date, only up to the version that has been included in the repository."

        Distros typically have several repos, not just one. Some of these may be "testing" repositories, there's not much point in going to the "latest" if it doesn't work or if it breaks other stuff — updates usually go through a QA process first. Really serious security updates go through very quickly and delay the QA process on less serious updates. External repos (like adobe's) typically don't have a visible testing repo, but the updates appear as soon as they are available.

        "And if the app you want isn't in the repository at all, it won't get patched (remember when firefox 3 came out, and all the distros stuck with 2) It's a process controlled by a third party who may, or may not, decide to give you the patches."

        Hmmm. I don't think it works that way. Red Hat, for example, don't usually rebase applications because the paying users value stability over the latest and, er, latest. You, the paying customer, are paying for this stability. On the other and, Fedora is much more likely to rebase. It took a little while to get Firefox 3 and Firefox 3.5 because the other parts of the distribution that depend on them (and they they depend on) need to be made to work.

        If you want the latest and, er, greatest of some particular package then there's no reason at all why you shouldn't have your own repo. Both apt and yum are quite happy to include external repos. If you have a bunch of friends who want those latest and greatest then you can put the repo somewhere where you can all see it. The rpmfusion, rpmforge, epel and elrepo repos are examples of just this. (I'm sorry, I don't have examples of debian equivalents but I'm sure that they exist.)

        The single, open distribution mechanism backed by an effective authentication mechanism does work. (It's not perfect, there have been a few celebrated attacks on repos with a view to, one presumes, dropping in signed malware. None have succeeded to date.)

    2. Anonymous Coward
      Anonymous Coward

      Err...

      It should be noted that most, if not all, commercial software available for linux is not installed or updated via a repo.

      Commercial software is very important to many Linux users, I'm not able to update my IBMtape drivers, Legato Networker, Veritas Netbackup, Oracle, Sybase or EMC symmetrix utilities via a repo. (There are more, these are just off the top of my head)

  26. Codge
    Linux

    @ Big-nosed Pengie

    "Security" lipstick.

    Well played Sir!

    Obviously Penguin...

  27. Martin Edwards

    Google Updater

    I'm sure some of you will already know this. But it's worth mentioning Google's efforts with Google Updater, which can be configured to take care of updates to Firefox, Adobe Reader, Skype and RealPlayer in addition to Google's own programs.

This topic is closed for new posts.

Other stories you might like