95 Of Every 100 Windows PCs Miss Security Updates 126
An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."
Over All... (Score:3, Interesting)
Re:Sounds like like Lunix, OSX (Score:5, Interesting)
Linux users, OS X users, hell even me and my FreeBSD boxes are just as bad. It's a PEBKAC and has nothing to do with what OS you run.
Re:Sounds like like Lunix, OSX (Score:3, Interesting)
Considering what you say later, I presume you think this is a Good Thing. If you want them to stay current with updates, use a distro such as Fedora that has a built-in update feature. Of course, using it would require the regular users to have the root password, or have somebody come through to enter it, but the same thing's true about Windows boxen and the Administrator password.
Re:Sounds like like Lunix, OSX (Score:3, Interesting)
Re:Re-think (Score:3, Interesting)
There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, and less understood. There will be a bigger gap between the frequency required for driving under "normal" conditions and "severe".
There are similar conditions with software updates. Sometimes patches should be applied immediatley, sometimes they can be put off longer. One thing is for sure, they will always be necessary, at least in the foreseeable future. In both cases, higher frequency is always better. Wouldn't an optimal solution be that both processes are as cheap, fast, and painless as possible, enabling them to be done very frequently? Imagine if an oil change was as painless as getting your car washed at the gas station is, or just an extra button to press at the pump. Now, given price of oil, that might not be feasible in the absence of some kind of cheap oil recondition/reuse process. Still, it's a better solution than merely lengthening the frequency.
I'd say your "Smaller updates", and "Less user intervention" should be among the highest priorities, along with anything else that can make patching both as trivial and frequent as possible. Not only that, but if user intervention is required at all, the importance of the patches needs to be made clear. Patches fixing remotely exploitable bugs should be made VERY clear, in bright red colors or something, not mixed in casually with other patches like it's no big deal. Part of the problem now is that most users don't know WTF the severity of "Windows Updates" or "Software Updates" is. Neither of those sound very important do they? Maybe somewhere in the details of WU patch installation, the word "security" or "critical" is mentioned (can't remember, staying on the safe side), and Apple's Software Updates sometimes lists "Security Update" items. Those are not enough to convey the importance of applying patches promptly as possible.
Comment removed (Score:3, Interesting)
Re:Sounds like like Lunix, OSX (Score:3, Interesting)
On a home windows box you may have to configure 5-8 different update systems (sometimes different, or at least separate systems for different packages from the same vendor) *and* make sure they are doing what they are supposed to do, not to mention that some software doesn't even have an automated update facility and needs manual upgrading. In a corporate settings you should be able to apply most updates in an automatic way (Although some probably wont be easily automated) and WUS takes some of the strain for the OS, other Microsoft Software and Drivers etc..)
Strangely even my ISP offers a Debian mirror these days so downloads are blindingly fast (I actually manage to reach the DSL download 'speeds' I am paying for).
You are happier with WSUS than I was (Score:4, Interesting)
It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.
A free system level common update system is needed (Score:3, Interesting)
MS is partly at fault for this (Score:2, Interesting)
PEBKAC is you (Score:3, Interesting)
There's nothing magical about WSUS.
I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leave -- thus allowing you to upgrade the kernel.
So you're right, it has nothing to do with what OSes are being run. But you're wrong to blame the users here -- many of them (rightly) feel that this should not be their job. I get to admin my own machines where I work, so keeping them up-to-date is my job -- and also my responsibility; there's no IT department to blame if something goes wrong. But in an organization which does have an IT department, even if it's a one-man IT department, keeping the system up to date should be IT's job.
Re:People ignore software update alerts (Score:3, Interesting)
So, what I've done is, I leave the update notifications on, in case I forget, but I make a habit of, when I first boot, checking for updates. This means that I get to sit and drink coffee and slowly wake up in the rare case that a reboot is required.
The difference is, on Ubuntu, I push one button for it to update, and then I forget about it for the rest of the day. If I really wanted to, I could script that -- have everything handled by a cron job.
On Windows or OS X, there's probably at least five or ten things which try to auto-update (or at least ask permission), and another five or ten things which don't even try, but which it's generally a good idea to keep up to date. So I still make a habit of checking Windows Update, but there's also a dozen things I don't bother to check (partly because some won't even work; my video drivers are not likely to get any more updates, ever), and there's a dozen things that pop up and cheerfully inform me that I have a few hundred megs worth of, say, Java updates to download.
So yes, Windows needs a proper package manager. A package manager is more than updates, but it would be nice to have just one place to check for updates, or just one thing that nags me to update, and then not have to deal with it for the rest of the day.
Fortunately, with HD-DVD work on hold, I get to run Linux at work.
Pirates? (Score:2, Interesting)