Typical Windows User Patches Every 5 Days 388
CWmike writes "The typical home user running Windows faces the 'unreasonable' task of patching software an average of every five days, security research company Secunia said on Thursday. 'It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching,' said Thomas Kristensen, the company's CSO. The result: Few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack. Secunia says that of the users who ran the company's Personal Software Inspector in the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. ... Secunia has published a white paper (PDF) that details its findings."
why is it so unreasonable? (Score:5, Insightful)
patching for Windows is largely automated...
Heck, my Linux has patches every day and I kinda see that as a good thing.
Ignorant Haters (Score:2, Insightful)
But if they just buy our software (Score:5, Insightful)
We can manage all those patches for them!
Seriously, that is what this looks like to me. It is a load of bullshit over all. Reason being that few things actually need patches for security reasons. The OS, virus scanner, browser, browser plugins and so on sure. However a videogame? No probably not. Well guess what? Turns out most of the stuff that needs patching, patches itself. Windows downloads patches and applies them in the middle of the night. Firefox grabs new versions when you surf, and installs next time it starts up. Virus scanners update silently in the background all the time.
If people actually had to spend time managing patches on all their apps, sure ti might be a problem. However for the most part that isn't the case. In the default config most important apps update themselves.
So... (Score:5, Insightful)
Couldn't be more correct! (Score:4, Insightful)
Last year I bought for my mother a new computer, she is quite computer literate but I was shocked to find 3 months after purchasing that she has gotten into the habit of turning it on once a week just to give it an hour to "update itself". That was to allow her to spend 30mins every other week doing her online stuff..
I literally couldn't or didn't believe it, but then I actually was there one day and watched as all the mostly default installed apps when through their motions of requesting updates. It literally took about half an hour before to computer was usable without something prompting "Do you want to install this update..."!
In the end I removed some of the crap like Java and the HP printer updater, and told her to turn it on only ever other week for the updates!
Definitely there is some need to consolidate updates into one program..
Re:Seems to be automatic (Score:5, Insightful)
The real problem in Windows is that all of these software packages have their own independent (and potentially broken) update mechanisms. One thing that modern Linux distros get right is centralized software updates. My Ubuntu laptop has a dialog box waiting for me most mornings that details any software updates it would like to install, and whether or not they are security related. I could tell it to do it all automatically but I like reviewing the changes before I install them.
The problem is... (Score:2, Insightful)
The problem, in my opinion, is the fact that patches, particularly Windows Updates, have a track record of breaking things. This leads to a conundrum...automatically update and risk mysterious breakage, or manually update and risk falling behind and being insecure. If you want to make patching less onerous, the first step is to make it as reliable as possible, and then a larger percentage of users will trust automatic updates.
Re:Get a Mac! (Score:2, Insightful)
so what? (Score:2, Insightful)
not a 7-day span goes by without ubuntu patches it seems.
it would be better if everything would be more like apple? just ignore problems for months at a time then release large patch sets?
what the world needs now is another "security expert" interpreting useless data.
Re:why is it so unreasonable? (Score:3, Insightful)
By and large, patches are a good thing, unless and until they prevent you from getting work done on the machine. Then they become a pain.
I was constantly frustrated and annoyed by the simple fact that Windows lacks a centralized update system that is open for everyone to use. It's got automated updating, sure, but it's a series of individual solutions per vendor and everyone solves the problem in different ways. And either there's an always-running app in the background (of which I had 15-20 at any given time, which gobbles up memory and occasionally CPU), or the software checks for updates when I start it up (the very least convenient time I want to update a bit of software is WHEN I'M STARTING IT - I opened Acroreader because I wanted to read a file, and now is not a good time to ask me if I want to wait ten minutes while my hard drive whirs getting the new shiny version installed. PS: As soon as I'm done reading the document, I'm going to shut down Acroread and not think about the update any more until you ask me at the least convenient time again, and I'll ignore it. Again).
Then, of course, there's Patch Tuesday. You never quite know what fresh hell awaits on Patch Tuesday, but it almost always includes a reboot.
Re:The problem is... (Score:2, Insightful)
Reboot Patches (Score:3, Insightful)
I don't really mind patches. They are usually quiet and seamless, working in the background and not interfering with my work.
The real killers are the updates that require a reboot, and these seem to be on the rise of late. Even worse, these are typically for software that I do not use (IE, Windows Media Player, etc.), but I am required to interrupt my work to reboot my machine so that I can be "secure".
Re:Couldn't be more correct! (Score:1, Insightful)
Yeah, getting Broadband purely in order to update her apps properly. That sure sounds reasonable...
Re:So... (Score:5, Insightful)
This is an excellent answer to the typical 'why can't I just double-click on an .exe file?!' whine about Linux software installation, BTW.
Yes. OS X and Windows desktop market share illustrate why binary installers that work across years of operating system releases are dumb.
Until the Linux community can get together and hash the installer problem out, you're not only locking out larger developers, but smaller ones as well. Pretending that this isn't a problem is not a solution.
Re:sucks to be support (Score:3, Insightful)
Re:Seems about right (Score:3, Insightful)
Re:why is it so unreasonable? (Score:5, Insightful)
The real issue is that Windows doesn't have a centralized update mechanism. Quite frankly the ISV's resisted the idea as they didn't want to have anything seem like Microsoft controlled it. More and more I am leaning towards the belief that Microsoft needs to build a centralized update service and allow ISV's to opt in to it. After they realize they can post their updates without being metered or anything by Microsoft they will find that they don't have to build custom updaters, write services to do it so that they don't have UAC prompts for patches, etc.
Computers exist to serve people! Not the reverse. (Score:5, Insightful)
Windows can patch itself to hell. Firefox and Adobe too, for all I care -
AS LONG AS THEY DON'T INTERRUPT, STEAL MY FOCUS, PUT UP CRAP ERROR MESSAGES OR REBOOT WITHOUT ASKING!
There's a portable at home I open only on weekends. Want to guess what happens for the first 30 minutes after I turn it on? Yup. An unusable computer that's *updating* itself. Java. Adobe. Firefox. Firefox *add-ins", Windows, and possibly, the current timeline in which I exist.
Needless to say, ALL of these want me to agree/disagree, actually *view* their updates, click a modal dialog, or reboot - repeatedly. I really don't care if updates have to happen, BUT KEEP THEM OUT OF MY FACE.
And don't slow the computer to a crawl. If the update takes all day, do I care? Not if it doesn't interfere with me.
Computers exist to serve ME. Make the computer wait, NOT ME!
Re:why is it so unreasonable? (Score:3, Insightful)
In my experience the issue isn't with the Windows OS, but all of the applications. On my boxes I have Java wanting an update and Adobe products wanting updates. Firefox seems to want an update pretty frequently. The anti-virus starts to cry if it hasn't been updated lately. I think the point the report is making is that just about every application these days has its own update frequency. You can't manage non-Microsoft patches with WSUS. Even a product like SMS (or whatever they are calling it these days) requires someone to stay on top of all the recent releases, and create packages to push out to the workstations. The last time I tried to update Adobe Shockwave (and Flash) because of an update, the .msi installer version that Adobe puts out wasn't even up to date and didn't address the security issue. Adobe makes you jump through hoops to even get the .msi installer files in the first place.
Re:sucks to be support (Score:3, Insightful)
Usually when I shut down, I'm taking my laptop somewhere else and often running late.
........why wouldn't you just put it to sleep or hibernate it? I only ever do a shut down / reboot on my Windows 7 systems when it's absolutely necessary, which is maybe once a month.
Re:sucks to be support (Score:2, Insightful)
Like I always say, Windows is cheap if your time is worth nothing.
Re:why is it so unreasonable? (Score:4, Insightful)
patching for Windows is largely automated...
When I first installed XP, I set it to "automatic update" and the next day I couldn't get on the internet. Microsoft had replaced my perfectly good network driver with one that didn't work at all. So much for automation; from then on I had it download automatically but installed myself.
And as a Linux user, you're fortunate (OK, smart) to not have to reboot the damned computer five times for every update. You only have to reboot when the kernel gets patched, so patches don't get in your way very often.
Re:Seems to be automatic (Score:4, Insightful)
Developer PROTIP: Unless you've fixed a huge, critical issue, just silently update your program the next time it's shut down. Don't notify me about regular updates, and don't make me manually check for them
Unless you're Microsoft... or Apple... If you're a major software vendor, don't even think about silently modifying your programs without letting the users know. Doing so would otherwise invoke the scorn and wrath of the /. community and other like minded, control freak zealots who see conspiracies behind every action.
Re:So... (Score:2, Insightful)
It is not a problem. Provide source and do not worry about it, or deal with the costs of closed source software.
QQ (Score:5, Insightful)
I'm the guy in our household responsible for applying our patches, being an IT professional and all.
Since we have a "few" computers all around the house, it's pretty much every time I sit down to one I have to apply patches, and usually a reboot to boot. Sometimes, it's a rarely used computer that I grab (laptop) just to get a few quick things done, and it requires multiple iterations of patches and reboots. Sigh.
I'm the guy in our household responsible for applying our patches, being an part time Web Developer and all.
Since we have a "few" computers all around the house, I just set Windows Update to download and notify me when updates are available. Providing me convienence and still retaining the ability to opt to not to install a patch.
Since Win7 got installed on my desktop I rarely have to restart for 99.9% of all day to day tasks, but when something out of left field like patch time comes it's increased speed to the login screen makes it much seem less of a chore having to wait 5 minutes while my PC is being updated.
And on my gf's laptop with Vista the reboots are slightly more often and and take a little longer.
But then again I'm on the computer 12 hours out of the day, so 5-10 mins once a week for maintenance really seems to be a non issue.
Re:sucks to be support (Score:4, Insightful)
"Ideally, you should be able to tell the PC "download and install updates on shutdown" and when you shut it down, the computer downloads and installs the patches you select, then shuts down."
Start->Control Panel->Security Center->Automatic updates->Download updates for me, but let me choose when to install them.
Everytime you're shutting down use start->turn off computer (it'll have a little security center icon if there's updates). It'll install the updates then shut down.
Windows XP Service Pack 3.
Re:Seems about right (Score:5, Insightful)
Re:Get a Mac! (Score:3, Insightful)
OSX requires you to put your admin password in. It's called security.
I know *why* it does that, thanks. My point was that it's not an unattended process. You can't set your machine to update overnight, because it needs your password before it'll install updates. You can't do it at the very end of the day, because it reboots, not "shutdown, and then finish on next start." So you'd have to wait around until it finishes, so you can properly shut down your system. That leaves the start of the day, or else you're interrupting your workflow. And the start of the day delays you getting down to work.
As for "needing to update webkit," just to really get in at the fanbois, MS got in major shit for entangling IE so deep in to Windows, why not Apple? If Safari is that entangled, they should have faced the same action as MS. If it's a browser update, I shouldn't have to do shit. If it's an OS update, it's disingenuous to mask it as a browser update, since it allows Apple to skew figures if they so choose.
Re:Difference in update methods not number of upda (Score:3, Insightful)
If Linux ever gets a strong software presence, it will have the same issues.
In Big-O notation, repositories scale linearly with the number of developers making demands of it. Double the number of developers and you've doubled the workload for the maintainers of the repository. The Linux ecosystem needs to double about 15 times (pulled that out of my ass, 32768x) to be comparable in scale with the Windows ecosystem.
Are the Linux repositories prepared for The Year of the Linux Desktop? I suggest that no, no they are not prepared at all. They wont know what hit them.
Re:sucks to be support (Score:4, Insightful)
Sorry, that's bollocks. You have one "reference" from 2003 that refers to minimum RAM required for XP as 250Mb and one that's just some guy posting a Hijackthis log and saying svchost is "making his PC run slow".
I've got a Win 7 x64 Desktop and a Win 7 x86 Laptop; the laptop hibernates at least twice daily and I never have any problems with it waking at all, nor with file system corruption, the desktop currently has 12 days of uptime (new hardware install a couple of weeks ago, it usually runs for a month or two between critical updates) and my svchost currently stands at 350Mb across 11 processes, most of which is the Desktop Window Manager.
Some shitty hardware (a lot of 3G cards for some reason) won't work after hibernating, but I've had that happen under both Windows & Linux, Oh, and Fedora refused to reconnect any of my mounted network shares after hibernating, so I guess Linux has its problems too.
Re:Seems about right (Score:5, Insightful)
Patches breaking things is a big deal. Nothing will convince users to never allow updates faster than having one break their system when they desperately need it to be working.
A close second is having MS sneak in user hostile changes under the guise of a critical security update. That makes it impossible to even convince users to "risk it" even for the really important updates.
Though even in the case of Debian, I'm a bit too paranoid to do updates by cron job, it's good enough that if I don't see any rending of garments on debian-security, I presume it's safe enough to try on one system. If nothing bad happens, the rest get updated right away.
Re:So... (Score:3, Insightful)
Verify that the OS we're running on is a supported one (RHEL or CentOS)
This is what I'm talking about. You're just fragmenting "Linux" into a few hundred operating systems.
Customer: Do you support Linux?
Dice: Yep!
Customer: Excellent! Where's the apt-get repository?
Dice: Oh, I mean we support RHEL and CentOS.
Customer: *dialtone*
Re:Seems about right (Score:2, Insightful)
Just think how often you would be updating Windows if MS released a new OS every 6 months.