95 Of Every 100 Windows PCs Miss Security Updates

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

Over All...

[jellomizer]

I am not to suprised I would think this is constant 95 out of 100 Linux boxes are missing security updates 95 out of 100 Macs are missing security updates.

Re:Sounds like like Lunix, OSX

[Architect_sasyr]

I don't know why this was modded flamebait, maybe because the AC says "Lunix". The point *is* about Lusers, that is the WHOLE point. I for one know that the only reason my Mac users update their software is so that they can have the latest and greatest, the Linux guys in the office don't update their software. This is actually good because I rely on exploits to gain remote control over some of those machines which are *technically* out of my jurisdiction. The windows users all update their software regularly. Why? Because I built a WSUS server and FORCE them to via group policy. Fully 85% of them hadn't done a single update till I forced this out (note: only recently stepped into this role, so not my fault!). I know most of them don't do it at home.

Linux users, OS X users, hell even me and my FreeBSD boxes are just as bad. It's a PEBKAC and has nothing to do with what OS you run.

Re:Sounds like like Lunix, OSX

[techno-vampire]

...the Linux guys in the office don't update their software.

Considering what you say later, I presume you think this is a Good Thing. If you want them to stay current with updates, use a distro such as Fedora that has a built-in update feature. Of course, using it would require the regular users to have the root password, or have somebody come through to enter it, but the same thing's true about Windows boxen and the Administrator password.

Re:Sounds like like Lunix, OSX

[techno-vampire]

The Uptodate program in Fedora runs automatically in X, and prompts for the root password. Sudo, although a good program, wouldn't help here. (Having the program suid to root would work, of course, now that I think of it.)

Re:Re-think

[ToasterMonkey]

I really think this is one case where user education should be considered more important.

There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, and less understood. There will be a bigger gap between the frequency required for driving under "normal" conditions and "severe".

There are similar conditions with software updates. Sometimes patches should be applied immediatley, sometimes they can be put off longer. One thing is for sure, they will always be necessary, at least in the foreseeable future. In both cases, higher frequency is always better. Wouldn't an optimal solution be that both processes are as cheap, fast, and painless as possible, enabling them to be done very frequently? Imagine if an oil change was as painless as getting your car washed at the gas station is, or just an extra button to press at the pump. Now, given price of oil, that might not be feasible in the absence of some kind of cheap oil recondition/reuse process. Still, it's a better solution than merely lengthening the frequency.

I'd say your "Smaller updates", and "Less user intervention" should be among the highest priorities, along with anything else that can make patching both as trivial and frequent as possible. Not only that, but if user intervention is required at all, the importance of the patches needs to be made clear. Patches fixing remotely exploitable bugs should be made VERY clear, in bright red colors or something, not mixed in casually with other patches like it's no big deal. Part of the problem now is that most users don't know WTF the severity of "Windows Updates" or "Software Updates" is. Neither of those sound very important do they? Maybe somewhere in the details of WU patch installation, the word "security" or "critical" is mentioned (can't remember, staying on the safe side), and Apple's Software Updates sometimes lists "Security Update" items. Those are not enough to convey the importance of applying patches promptly as possible.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Sounds like like Lunix, OSX

[Ajehals]

This isn't just about the OS upgrades though, the huge difference between updating a windows box and (for example) a Debian box is that you update *everything* when you update. On top of that you can (as with windows, just go for security updates, use a local mirror (I assume windows does this) and automate updates.) Of course that's a home environment, for corporate environments it is even easier as your local mirror and update system (WSUS equivalent) is also handily your software repository and RIS service.

On a home windows box you may have to configure 5-8 different update systems (sometimes different, or at least separate systems for different packages from the same vendor) *and* make sure they are doing what they are supposed to do, not to mention that some software doesn't even have an automated update facility and needs manual upgrading. In a corporate settings you should be able to apply most updates in an automatic way (Although some probably wont be easily automated) and WUS takes some of the strain for the OS, other Microsoft Software and Drivers etc..)

Strangely even my ISP offers a Debian mirror these days so downloads are blindingly fast (I actually manage to reach the DSL download 'speeds' I am paying for).

You are happier with WSUS than I was

[JimmytheGeek]

We deployed it at my previous job, for 1100 machines. I found it a huge waste of time with large numbers of machines unable to update, or only partially updating. Almost none were completely updated. Status reports were off, reporting missing patches that I KNEW were on the box (installed manually and verified). I'm pretty sure it reported patches on that weren't. So not only could I not rely on it to do the job, I could not rely on it to tell me where it had succeeded and where it had not. I found it marginally better than nothing, not a solid enterprise ready tool.

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.

A free system level common update system is needed

[Joe The Dragon]

MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

MS is partly at fault for this

[Anonymous Coward]

This isn't entirely the fault of users. One of my major complaints about windows updates is that they so often require a reboot. This is disruptive for any user, it's understandable that people would want to avoid that and "update later" (which is always forgotten). If windows updates were as minimally disruptive as possible (and I know for certain that reboots can be avoided almost always) users would be much, much more likely to allow automatic application of windows updates.

PEBKAC is you

[SanityInAnarchy]

Well, your department, maybe not you personally. I have no idea what the office politics are like there, so I don't know what's actually stopping you from implementing best practices...

There's nothing magical about WSUS.

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leave -- thus allowing you to upgrade the kernel.

So you're right, it has nothing to do with what OSes are being run. But you're wrong to blame the users here -- many of them (rightly) feel that this should not be their job. I get to admin my own machines where I work, so keeping them up-to-date is my job -- and also my responsibility; there's no IT department to blame if something goes wrong. But in an organization which does have an IT department, even if it's a one-man IT department, keeping the system up to date should be IT's job.

Re:People ignore software update alerts

[SanityInAnarchy]

See, I generally trust the updates, because I figure that if Adobe didn't screw me over the first time, they're not going to screw me over this time.

So, what I've done is, I leave the update notifications on, in case I forget, but I make a habit of, when I first boot, checking for updates. This means that I get to sit and drink coffee and slowly wake up in the rare case that a reboot is required.

The difference is, on Ubuntu, I push one button for it to update, and then I forget about it for the rest of the day. If I really wanted to, I could script that -- have everything handled by a cron job.

On Windows or OS X, there's probably at least five or ten things which try to auto-update (or at least ask permission), and another five or ten things which don't even try, but which it's generally a good idea to keep up to date. So I still make a habit of checking Windows Update, but there's also a dozen things I don't bother to check (partly because some won't even work; my video drivers are not likely to get any more updates, ever), and there's a dozen things that pop up and cheerfully inform me that I have a few hundred megs worth of, say, Java updates to download.

So yes, Windows needs a proper package manager. A package manager is more than updates, but it would be nice to have just one place to check for updates, or just one thing that nags me to update, and then not have to deal with it for the rest of the day.

Fortunately, with HD-DVD work on hold, I get to run Linux at work.

Pirates?

[__aaqvdr516]

I wonder...of all of these unpatched systems, how many were pirated? That was the big stink when MS briefly turned off updates for non-verified Windows installations. Maybe people are afraid to update their pirated MS Office stuff in fear of being caught?