95 Of Every 100 Windows PCs Miss Security Updates

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

Hang on-

[Naughty Bob (1004174)]

Well shit! this would explain all that stuff about windows and viruses I keep hearing about....

Sounds like like Lunix, OSX

[by Anonymous Coward]

So the point isn't about Windows... the point is about users.

Re:Sounds like like Lunix, OSX

[Architect_sasyr (938685)]

I don't know why this was modded flamebait, maybe because the AC says "Lunix". The point *is* about Lusers, that is the WHOLE point. I for one know that the only reason my Mac users update their software is so that they can have the latest and greatest, the Linux guys in the office don't update their software. This is actually good because I rely on exploits to gain remote control over some of those machines which are *technically* out of my jurisdiction. The windows users all update their software regularly. Why? Because I built a WSUS server and FORCE them to via group policy. Fully 85% of them hadn't done a single update till I forced this out (note: only recently stepped into this role, so not my fault!). I know most of them don't do it at home.

Linux users, OS X users, hell even me and my FreeBSD boxes are just as bad. It's a PEBKAC and has nothing to do with what OS you run.

Re:

[Naughty Bob (1004174)]

Agreed it's a PEBKAC, pretty much the only predictable thing when designing software it the likelyhood of humans, with all their crazy ways, using it. That's why this story is really about how effectively software producers anticipate, discourage, and otherwise strive to design out situations like the one described. MS may be evil, but it's not the point here for sure. The point it that they don't take a cogent, cohesive view of the whole social engineering side of their business.

Re:

[techno-vampire (666512)]

...the Linux guys in the office don't update their software.

Considering what you say later, I presume you think this is a Good Thing. If you want them to stay current with updates, use a distro such as Fedora that has a built-in update feature. Of course, using it would require the regular users to have the root password, or have somebody come through to enter it, but the same thing's true about Windows boxen and the Administrator password.

Re:

[techno-vampire (666512)]

The Uptodate program in Fedora runs automatically in X, and prompts for the root password. Sudo, although a good program, wouldn't help here. (Having the program suid to root would work, of course, now that I think of it.)

Re:

[swimin (828756)]

Please look up gtksudo.

Re:Sounds like like Lunix, OSX

[VGPowerlord (621254)]

Mac users don't get annoyed by the bouncing icon?
Ubuntu users don't get annoyed by the yellow box that pops up about system updates?

You'd think that update systems that get on people nerves would actually make them update...

Re:

[Ajehals (947354)]

This isn't just about the OS upgrades though, the huge difference between updating a windows box and (for example) a Debian box is that you update *everything* when you update. On top of that you can (as with windows, just go for security updates, use a local mirror (I assume windows does this) and automate updates.) Of course that's a home environment, for corporate environments it is even easier as your local mirror and update system (WSUS equivalent) is also handily your software repository and RIS serv

You are happier with WSUS than I was

[JimmytheGeek (180805)]

We deployed it at my previous job, for 1100 machines. I found it a huge waste of time with large numbers of machines unable to update, or only partially updating. Almost none were completely updated. Status reports were off, reporting missing patches that I KNEW were on the box (installed manually and verified). I'm pretty sure it reported patches on that weren't. So not only could I not rely on it to do the job, I could not rely on it to tell me where it had succeeded and where it had not. I found it marginally better than nothing, not a solid enterprise ready tool.

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.

PEBKAC is you

[SanityInAnarchy (655584)]

Well, your department, maybe not you personally. I have no idea what the office politics are like there, so I don't know what's actually stopping you from implementing best practices...

There's nothing magical about WSUS.

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leav

Re:

[ichigo 2.0 (900288)]

Most worms/viruses in the wild are based on reverse-engineered security updates, so keeping your computer up to date is a Good Idea. I have no idea how well anti-virus scanners work, but since XP came out I have relied exclusively on security updates, a hardware firewall, avoiding IE and suspicious software without any problems. OTOH the contents of my computer are expendable, so I'd rather wipe everything and reinstall than spend a large portion of my computing resources on real-time anti-virus software. H

Re:

[1u3hr (530656)]

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching.

My PC runs Win2k, my wife has an XP laptop. I've updated both to the last full service packs, but not any of the incremental patches. I hide or delete IE and Outlook, have a router and software firewalls. In 6 years no virus or exploits. And yes, I would know -- in previous discussions people smugly say my PCs mus

May I partially disagree with you, sir?

[Spy der Mann (805235)]

Agreed, users SHOULD update their software regularly. However, one thing is having the will to update software, and a very different thing is having software with the need to update every 4 weeks!

Some versions of PHP, OpenSSL and Apache are buggy. Granted. However, not all users have a webserver on their machines. The problem is when the software they're running (i.e. Windows) is so crappy and awfully designed that its security has more holes than swiss cheese.

Re:

[ucblockhead (63650)]

The nice thing about debian based distributions is that there's a system that automatically patches nearly all installed applications rather than just the OS itself.

I'm not shocked

[Nero Nimbus (1104415)]

This isn't really surprising, given that most people treat computers like just another appliance. Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

Re:

[scum-e-bag (211846)]

Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

Re:

[JacobO (41895)]

I personally get annoyed by the intrusive software that interrupts my work (or play) with something I'm not particularly interested in: software updates. Do it silently and let me get back to Desktop Tower Defense!

People ignore software update alerts

[Freaky Spook (811861)]

When I look at people's computers these days they have heaps of different software popping up asking for updates, its got to a point where people ignore it, because its much too common.

The thing that annoys me most about update alerts is they never give you a reason why the software should be updated. It would be nice if they would give you a link or a summary of simple reasons why you need to actually update their free crapware.

Java and adobe products are probably the worst with this.

Re:

[QuantumG (50515)]

Maybe Microsoft needs to supply an API for a single update manager.

Either that, or get a proper package management system.

Re:

[SanityInAnarchy (655584)]

See, I generally trust the updates, because I figure that if Adobe didn't screw me over the first time, they're not going to screw me over this time.

So, what I've done is, I leave the update notifications on, in case I forget, but I make a habit of, when I first boot, checking for updates. This means that I get to sit and drink coffee and slowly wake up in the rare case that a reboot is required.

The difference is, on Ubuntu, I push one button for it to update, and then I forget about it for the rest of the

Is that...

[15Bit (940730)]

...just the legit licensed ones they're talking about or *all* Windows PC's?

Re:Is that...

[Qzukk (229616)]

Nah, it's the ones where people did the smart thing: they set up automatic updates, they set up a non-privileged user that they use every day... then they never logged back in as Administrator to click "ok" on the service pack 2 license.

Re:

[VGPowerlord (621254)]

I haven't actually tried this, but doesn't the Windows Update Service just throw the notice at whichever user is logged in, since it already runs as a privileged user?

This also doesn't apply to businesses that use a [url=http://technet.microsoft.com/en-us/wsus/default.aspx]WSUS[/url] [url=http://en.wikipedia.org/wiki/Windows_Server_Update_Services]setup[/url].

Re:

[ashridah (72567)]

Those popups actually run as SYSTEM, (which is why you can't get hyperlinks in them, incidentally) so you can still apply updates through them. Means that the updating tool needs to be careful, of course.

ash

Over All...

[jellomizer (103300)]

I am not to suprised I would think this is constant 95 out of 100 Linux boxes are missing security updates 95 out of 100 Macs are missing security updates.

Re:

[SanityInAnarchy (655584)]

As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall

Or my server could be an updated firewall.

At the very least, you want to keep sshd up-to-date.

Most updates seem to slow things down these days.

Plenty of updates speed things up. See Ruby.

I have plenty enough unix knowledge to know that that odd libmcrypt version update out of sync with mhash or whatever means I have to reinstall a server

Wow, your distro must suck.

Sales FUD

[MeanMF (631837)]

They're looking at EVERY piece of software installed on the computer, not the OS itself. They're doing this along with a very generous definition of "security update" to come up with hugely inflated numbers so they can better scare the clueless into buying their services.

Re:

[phantomcircuit (938963)]

Except this software is free for non commercial user.

Re:

[hurfy (735314)]

I think EVERY is an understatement. The stats come out to over 81 applications on AVERAGE per computer. Huh? Even counting the Acrobat reader which always screams for an update and says it may not be able to open a file just before it does so, i can't imagine what that covers.

Also have to agree with comment below...The security conscious/paranoid are not going to install a 3rd party app that reports their vulnerabilities back to said 3rd party!

duhhhh....

[debatem1 (1087307)]

Anybody who is remotely worried about security is probably not going to download a tool that reports your security status to another organization.

Run Microsoft Update not windows update on windows

[Joe The Dragon (967727)]

Run Microsoft Update not windows update on windows system to get all of the windows base os + other APIs and runtimes + office updates.

Re:Run Microsoft Update not windows update on wind

[ucblockhead (63650)]

That doesn't help much if the exploit targets Firefox or Adobe Reader or Photoshop or iTunes or...

And Adobe update, and Java update, and Software...

[SanityInAnarchy (655584)]

And what will update my video drivers?

Oh, whoops -- nvidia doesn't have ANY automatic update.

So yes, Microsoft Update is a start, but until it's just a generic Update feature which all apps can hook into, it's pretty useless for keeping the whole system up-to-date.

Updates Slow Computer Down

[smist08 (1059006)]

Many people have a bad impression of updates. They know for sure that updates slow down the computer and they know for sure that updates have previously broken things. So you have a choice: 1. Install something that will degrade your computer (possibly making parts of it unusable) or 2. Don't install it and just hope that you don't open a bad email or something, after all practically speaking viruses aren trojans are quite rare.

How much of this is stuff people aren't using?

[DrData99 (916924)]

With all the pre-installed trials and other crapware the comes with home computers it is likely that many of these unpatched applications are ones that are not really at risk since they are never used. I see this even at work, where we run regular vulnerability scans. You tell a user that they need to update and get told that they haven't used said product in .

Here is a great little app for updating a pc

[hairyfeet (841228)]

Appget [app-get.com]. It is what I use when I need to update a pc someone has brought me in for repair. It will show the occasional false positive, for example, saying version 1.5 is newer than beta 2, but otherwise a quick and handy way to update a pc. One of the best things about it is you can make it better by submitting download links to software that isn't in the database. The more folks that use it the better it gets. And the developers are really nice about emailing replies and fixing bugs when you submit them. So if you need a free tool to quickly find out version numbers and update a pc's software, here you go.

I should be safe ...

[WoodstockJeff (568111)]

... Windows Update tells me that the only update I need is "Windows Genuine Advantage", which I don't want, anyway. No other updates needed, since Microsoft told me that WGA wasn't necessary to get security updates... just "new features".

Yeah, right....

You call them security updates

[WillAffleckUW (858324)]

We in dual-boot land call them "driver downgrades".

Just look at the "fixes" in MS Office 2003 in the last SP.

Those removed the ability to open older spreadsheet formats we still have data stored in, so we had to roll them back.

And most of the fixes were already done when we switched to the more secure Firefox as our default browser and got rid of all Outlook instances.

A free system level common update system is needed

[Joe The Dragon (967727)]

MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

So what you're saying is...

[SanityInAnarchy (655584)]

Ripping off Sudo was a good start, but they really need to learn some lessons from Linux package managers.

OS X has the same problem, by the way. Linux distros are really the only place you see a system-wide package manager.

MS is partly at fault for this

[by Anonymous Coward]

This isn't entirely the fault of users. One of my major complaints about windows updates is that they so often require a reboot. This is disruptive for any user, it's understandable that people would want to avoid that and "update later" (which is always forgotten). If windows updates were as minimally disruptive as possible (and I know for certain that reboots can be avoided almost always) users would be much, much more likely to allow automatic application of windows updates.

Re:

[Shados (741919)]

Updates that don't require reboot don't force you to reboot... I agree too many of em do, but its been a heck of a long time since I had to reboot because of windows update...

And personally, what I always do, is update, then just say "reboot later"

You get a popup every 4 hours (I wish it could be pushed to more than that, but bleh), and then just turn my computer off at night.

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown". I don't

Not scientific and potentially biased

[ClosedSource (238333)]

The report from Secunia is based on their users' PCs and thus is not statistically valid (has there ever been a statistically valid survey reported on Slashdot?). In addition, they have a vested interest in reporting a high number in order to promote their non-free version.

Pirates?

[Jaktar (975138)]

I wonder...of all of these unpatched systems, how many were pirated? That was the big stink when MS briefly turned off updates for non-verified Windows installations. Maybe people are afraid to update their pirated MS Office stuff in fear of being caught?

Re:

[DCTooTall (870500)]

Hmmm... Better option to drive it home to the public without causing MASSIVE damages....

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive. Hell... put those C&C servers to good use if needbe and proxy the connections so that it can even be a non-standard port for those ISP's that block po

Re:

[secolactico (519805)]

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive.

This could actually be more damaging than just deleting the files. Embarrassing would be just one result of exposing all this info. But you can probably get a lot of info from personal pictures to steal an identity or stalk/harass/hurt somebody.

Re:

[ToasterMonkey (467067)]

I really think this is one case where user education should be considered more important.

There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, a

Re:

[SanityInAnarchy (655584)]

Obviously 95% of people aren't doing this, so what do we change to fix that?

Here's what I'd do:

1. Remove the user from the equation (fully automate everything)
2. Not care what happens to anyone who disables #1

Re:

[SanityInAnarchy (655584)]

run the update software/visit the manufacturer's web site for every piece of software that you own?

It's not so bad when they update themselves (Adobe, Java, Apple, etc).

But yes, having to visit the manufacturer's website is bad. That's why we have this concept of a "package manager" on Linux, and why we're still so confused that people think it's more complex to install and manage software on Linux than on other systems.

Actually, I lied, there are currently two package managers I have to keep track of: D