Complex systems
Patch Tuesday is turning into a monthly ritual of abuse (legitimately) directed at certain software manufacturers. What has changed over the years?
From my early days I remember a metric called Mean Time Between Failures (MTBF). It was somehow related to the number of components (resistors, capacitors, tubes/valves (at the time)). The more components, and the more of certain types, the shorter the MTBF.
It's not unreasonable to expect complex software inherently to be vulnerable to malicious students of the code. It's a learning curve. Software developed today may be less vulnerable as a result. For example, personal computers today are more reliable, as a result of better cooling, and the move to SSDs and away from mechanical hard drives. Solid-state displays outlast CRTs.
Writing new software that does what the old software did, but is less vulnerable, costs money. A corporation will make more money coming out with new applications than totally replacing what's already out there. Patches are more cost-effective. That is the bottom line.
Hardware and software have improved over time. What hasn't improved, IMO, is the level of user competence. It's a training thing. After all these years, seemingly well-educated people in jobs that otherwise require intelligence, are still clicking on phishing links!
It's well and proper to kvetch about Adobe and Microsoft, but the focal point of all security problems is the user. To use an analogy, we've built safer cars, but if the users drive recklessly and don't wear their seat belts, they're still likely to get killed in an accident. So we train people to be sensible behind the wheel, and enforce seat-belt laws. I'm not saying we need civil laws to regulate what you do at the keyboard, but there's precious little public discussion of what not to do. Ransom-ware attacks make headlines; what's rarely mentioned in the news is that if people didn't open the infected files, such attacks would fail. When a malware attack has the potential of some recent events, it seems akin to a public-health issue.
Shame on Adobe, MS and others for continuing to flog busted code. That said, we've chosen to have capitalist economies where we shouldn't expect better. We can, however, do something to mitigate the potential harm. El Reg and others dutifully report on the subject. Unfortunately, your Aunt Millie probably never reads them.
Sure, it's unfair to blame users for malware and vulnerable but popular applications. But stuff happens. Malware and vulnerable software are facts. We should complain and we should try to eliminate both. But the buck (pound, euro) stops at the user interface. That's where we're not putting enough resources, IMO.