95 Of Every 100 Windows PCs Miss Security Updates

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

Hang on-

[Naughty Bob]

Well shit! this would explain all that stuff about windows and viruses I keep hearing about....

Sounds like like Lunix, OSX

[Anonymous Coward]

So the point isn't about Windows... the point is about users.

Re:Sounds like like Lunix, OSX

[Architect_sasyr]

I don't know why this was modded flamebait, maybe because the AC says "Lunix". The point *is* about Lusers, that is the WHOLE point. I for one know that the only reason my Mac users update their software is so that they can have the latest and greatest, the Linux guys in the office don't update their software. This is actually good because I rely on exploits to gain remote control over some of those machines which are *technically* out of my jurisdiction. The windows users all update their software regularly. Why? Because I built a WSUS server and FORCE them to via group policy. Fully 85% of them hadn't done a single update till I forced this out (note: only recently stepped into this role, so not my fault!). I know most of them don't do it at home.

Linux users, OS X users, hell even me and my FreeBSD boxes are just as bad. It's a PEBKAC and has nothing to do with what OS you run.

Re:

[Naughty Bob]

Agreed it's a PEBKAC, pretty much the only predictable thing when designing software it the likelyhood of humans, with all their crazy ways, using it. That's why this story is really about how effectively software producers anticipate, discourage, and otherwise strive to design out situations like the one described. MS may be evil, but it's not the point here for sure. The point it that they don't take a cogent, cohesive view of the whole social engineering side of their business.

Re:

[techno-vampire]

...the Linux guys in the office don't update their software.

Considering what you say later, I presume you think this is a Good Thing. If you want them to stay current with updates, use a distro such as Fedora that has a built-in update feature. Of course, using it would require the regular users to have the root password, or have somebody come through to enter it, but the same thing's true about Windows boxen and the Administrator password.

Re:

[techno-vampire]

The Uptodate program in Fedora runs automatically in X, and prompts for the root password. Sudo, although a good program, wouldn't help here. (Having the program suid to root would work, of course, now that I think of it.)

Re:

[swimin]

Please look up gtksudo.

Re:

[techno-vampire]

In Fedora, at least, Uptodate works as a daemon and notifies you when there are updates to download, rather like Windows with Automatic Update. how would gtksudo help?

Re:

[Anonymous Coward]

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching. Would it matter in the slightest if everyone patched themselves anyway? Exploits in Windows are a dime a dozen, I just make sure to have a secure connection, avoid IE and block scripts by default, keep my AV and spyware removal tools varied and up to date and completely ignore Windows service patches.

Re:

[ichigo 2.0]

Most worms/viruses in the wild are based on reverse-engineered security updates, so keeping your computer up to date is a Good Idea. I have no idea how well anti-virus scanners work, but since XP came out I have relied exclusively on security updates, a hardware firewall, avoiding IE and suspicious software without any problems. OTOH the contents of my computer are expendable, so I'd rather wipe everything and reinstall than spend a large portion of my computing resources on real-time anti-virus software. H

Re:

[tsa]

My thoughts exactly. I hate virus scanners with a passion. They are responsible for so many lost hours they're really not worth the trouble. Every thursday morning my computer is unusable for about 20 minutes because it has to check it's viruses. That's 40 weeks a year 20 minutes, makes about 13 hours lost time. I cost around 100 euros an hour, so that's 1300 euros down the drain. Nice work, Norton!

Re:

[tsa]

And drat, it's "its", not "it's" in '...check its viruses.' I never thought I'd make that mistake. AAaaarrg!

Re:

[MrAngryForNoReason]

Every thursday morning my computer is unusable for about 20 minutes because it has to check it's viruses.

Wouldn't it make more sense to schedule a scan on Thursday afternoon at whatever time you finish work and set it to shutdown the machine on completion?

I have my anti virus program set to run at 5pm every day. If I am working later than 5pm then I either just cancel it safe in the knowledge that it will run the next day or let it run in the background, with a dual core processor I find the performance

Re:

[darthflo]

Whoa. You cost 100 an hour, (apparently) work in IT and still use Norton? Masochist.

Re:

[tsa]

No I work as a researcher at a University. Our IT staff punishes us with this stupid virus scanner. We can't do anything about the scedule either. Grrrr...

Re:

[Drooling Iguana]

You get 12 weeks vacation per year? Lucky bastard. I don't even get 12 days.

Re:

[tsa]

Now that you mention it, that seems indeed a bit much... O well, so it's even more money down the drain!

Re:

[1u3hr]

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching.

My PC runs Win2k, my wife has an XP laptop. I've updated both to the last full service packs, but not any of the incremental patches. I hide or delete IE and Outlook, have a router and software firewalls. In 6 years no virus or exploits. And yes, I would know -- in previous discussions people smugly say my PCs mus

Re:

[T-Bone-T]

Funny, I use IE, Outlook, Vista, and try to keep the list of updates as close to 0 as possible and I haven't had a virus in over a year. That one virus I had over a year ago on XP had a strong possibility of being a false positive. My history before that is also basically the same.

Re:

[PastaLover]

Jup same here. I just keep it patched, have been running the same win xp install for 5 (almost 6) years now and not one spyware or virus infection. I don't use IE or outlook though, but still. I don't get the post a couple of levels up about using virus scanners. Virus scanners are for corporate stooges and regular joe's, the rest of us should be smart enough not to open those pesky virus mails, or install spyware laden software.

Re:Sounds like like Lunix, OSX

[VGPowerlord]

Mac users don't get annoyed by the bouncing icon?
Ubuntu users don't get annoyed by the yellow box that pops up about system updates?

You'd think that update systems that get on people nerves would actually make them update...

Re:

[Jugalator]

... and Windows users don't get annoyed by the reminder that pops up every now and then?

But I'm not sure if it's just about the OS bits. This article talks of third party apps. In Ubuntu, such apps are often covered (unlike in Windows) by the auto-updater too in case they came from the Ubuntu repositories, but not ALL of them, for example if they're not covered by the auto updater and one wouldn't care.

And in this survey, they're including Windows installs with even just ONE unpatched application. No wonder

Re:

[VGPowerlord]

As I recall, the Windows Update balloon goes away on its own if you ignore it.

Also, the grandparent was talking just about system updates that he forces down to users with WSUS.

Re:

[Ajehals]

This isn't just about the OS upgrades though, the huge difference between updating a windows box and (for example) a Debian box is that you update *everything* when you update. On top of that you can (as with windows, just go for security updates, use a local mirror (I assume windows does this) and automate updates.) Of course that's a home environment, for corporate environments it is even easier as your local mirror and update system (WSUS equivalent) is also handily your software repository and RIS serv

You are happier with WSUS than I was

[JimmytheGeek]

We deployed it at my previous job, for 1100 machines. I found it a huge waste of time with large numbers of machines unable to update, or only partially updating. Almost none were completely updated. Status reports were off, reporting missing patches that I KNEW were on the box (installed manually and verified). I'm pretty sure it reported patches on that weren't. So not only could I not rely on it to do the job, I could not rely on it to tell me where it had succeeded and where it had not. I found it marginally better than nothing, not a solid enterprise ready tool.

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.

Re:

[kellyb9]

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.

I doubt any companies products are "enterprise ready", Linux and Mac included.

Re:

[Drooling Iguana]

All they have to do is add an option to invert the polarity of the tetryon flow and reroute it through the main deflector dish. Then it'll be Enterprise ready.

PEBKAC is you

[SanityInAnarchy]

Well, your department, maybe not you personally. I have no idea what the office politics are like there, so I don't know what's actually stopping you from implementing best practices...

There's nothing magical about WSUS.

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leav

Re:

[weicco]

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update.

The difference here, if I understand this correctly, is that in Linux, you have to run through every computer and add cron job by hand. In Windows, when you join corporate domain this all is done automatically. So WSUS/group policy saves user's and admin's time.

Re:

[SanityInAnarchy]

The difference here, if I understand this correctly, is that in Linux, you have to run through every computer and add cron job by hand.

Except in Linux, just about any task you can do by hand, you can automate. There are many scripts for deploying configuration to a large number of Linux machines. (Directly -- the lingo is "push", not "pull".) Ruby On Rails seems to like Capistrano, though that's more designed around deploying a Rails app.

But hey, you already control the repository, why not roll your own i

Re:

[weicco]

But hey, you already control the repository, why not roll your own install disc?

That's a good point. I didn't consider that. If there's just a way (some tool or something) to monitor if patches are installed correctly then it should work nicely.

Again, I've never done this on Windows, so I don't really know how long it takes to join the corporate domain, on each computer.

Well, you log in to your computer with domain account and that's it :)

Re:

[SanityInAnarchy]

If there's just a way (some tool or something) to monitor if patches are installed correctly then it should work nicely.

Well, there are many tools that do various things... I'm honestly not sure about the best way to make sure each machine got its patches. I do know there are at least a couple of tools which are designed to mass-SSH the same command out to every machine, so you could always run a command on all running computers to ensure that they got the patch.

But I think what's more likely is that you

Re:

[Architect_sasyr]

You have to add each Windows computer to the domain initially though, it's not quite the same but still.

To cover a few of the other posts in response (in case anyone's going to read this) I work IT across 8 or so companies, and I'm the third or fourth to come in. The problem is that the other two "IT" guys are still here, one is an ex-programmer and the other is an ex-media-designer. Neither should ever have been a sysadmin, but due to office politics I have to deal with letting them run around doing thing

Re:

[SanityInAnarchy]

You're IT department consists of you and you're imaginary friend doesn't it.

Actually, just me, because, as I said, there is no IT department where I work. Everyone is responsible for their own machine. We can do this because there are five of us, and we're all developers.

Have you actually worked with real employees? My guess is no

Guess again.

and they probably would want to kick your ass if you did.

That depends on whether I get to set the policy.

Well-run corporations will make their IT department the f

May I partially disagree with you, sir?

[Spy der Mann]

Agreed, users SHOULD update their software regularly. However, one thing is having the will to update software, and a very different thing is having software with the need to update every 4 weeks!

Some versions of PHP, OpenSSL and Apache are buggy. Granted. However, not all users have a webserver on their machines. The problem is when the software they're running (i.e. Windows) is so crappy and awfully designed that its security has more holes than swiss cheese.

Re:

[WillAffleckUW]

Some of our dual-boot machines aren't used in the Windows configuration very often.

Why bother dual booting over to Windows just to download security patches when the last time someone ran Windows on that box was in 2006?

Re:

[WillAffleckUW]

It's our software - the insecurities they "fix" are for component software bundles that aren't used by our users. E.g. IE7, calendar software, things that literally are not run.

Besides, we already run them behind firewalls and port blockers. You can't even access most ports without a specific IP address we've unblocked. And even the ones that are non-specific are block ranges only viable for specific user accounts that aren't on those machines.

Re:

[ucblockhead]

The nice thing about debian based distributions is that there's a system that automatically patches nearly all installed applications rather than just the OS itself.

False dichotomy

[BeanThere]

It's about BOTH. Pretending it's only about one or the other is an attempt to purport that the quality of Windows does not even enter into the equation and thus that the quality of all OS's is effectively equivalent. This is obviously false, the crappy quality of Windows most DEFINITELY has a lot to do with it too (and this is why the parent was also rightfully modded flamebait).

I'm not shocked

[Nero Nimbus]

This isn't really surprising, given that most people treat computers like just another appliance. Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

Re:

[scum-e-bag]

Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

Re:

[Traxxas]

Come on, I love waiting 3 weeks for a Firefox update.

Re:

[snl2587]

...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

...only if you're using the default repositories and not the most current ones. One of the little things about Ubuntu is that only well-tested updates make it to final release, and this takes time. Should certain updates be pushed through almost instantly? Of course they should, and things like the recent Samba Server update (update to the update, really) are.

I know that for my Windows box I'm one of those 95%. I

Re:

[JacobO]

I personally get annoyed by the intrusive software that interrupts my work (or play) with something I'm not particularly interested in: software updates. Do it silently and let me get back to Desktop Tower Defense!

People ignore software update alerts

[Freaky Spook]

When I look at people's computers these days they have heaps of different software popping up asking for updates, its got to a point where people ignore it, because its much too common.

The thing that annoys me most about update alerts is they never give you a reason why the software should be updated. It would be nice if they would give you a link or a summary of simple reasons why you need to actually update their free crapware.

Java and adobe products are probably the worst with this.

Re:

[QuantumG]

Maybe Microsoft needs to supply an API for a single update manager.

Either that, or get a proper package management system.

Re:

[SanityInAnarchy]

See, I generally trust the updates, because I figure that if Adobe didn't screw me over the first time, they're not going to screw me over this time.

So, what I've done is, I leave the update notifications on, in case I forget, but I make a habit of, when I first boot, checking for updates. This means that I get to sit and drink coffee and slowly wake up in the rare case that a reboot is required.

The difference is, on Ubuntu, I push one button for it to update, and then I forget about it for the rest of the

I like Steam, but...

[SanityInAnarchy]

First of all, Steam has no provision for third-party stuff, other than signing a deal with Valve. This makes it about as useless as Microsoft update, or Apple's Software Update.

But there are a number of things I can't do with Steam that I can do with real package managers:

• Dependencies. If this is done at all, it's entirely hidden from the user.
• Reverse dependencies. Uninstall an app, and all its dependencies (which aren't needed by other things) are uninstalled also.
• Hold an app to a version. With Steam,

Re:

[Monsuco]

actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

I wonder why all these companies, Adobe, Real, Sun, Apple, these companies want their products up to date, MS wants Windows to be secure and therefor would want all the software on it to be patched why not work out a deal where other software providers can update through MS update along with Office and Windows. I do think it might be against antitrust laws so they might be restricted in that way.

Re:

[Nero Nimbus]

You can't do something like that! It makes too much sense.

Re:

[Jugalator]

so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

It may be slightly easier in Ubuntu for various reasons, but I'd say it's still quite a challenge to keep 100% of all software used updated at all times for a novice user, even on Linux. The repository-based installs helps a lot, but not all of the software is installed that way, for example.

Is that...

[15Bit]

...just the legit licensed ones they're talking about or *all* Windows PC's?

Re:Is that...

[Qzukk]

Nah, it's the ones where people did the smart thing: they set up automatic updates, they set up a non-privileged user that they use every day... then they never logged back in as Administrator to click "ok" on the service pack 2 license.

Re:

[VGPowerlord]

I haven't actually tried this, but doesn't the Windows Update Service just throw the notice at whichever user is logged in, since it already runs as a privileged user?

This also doesn't apply to businesses that use a [url=http://technet.microsoft.com/en-us/wsus/default.aspx]WSUS[/url] [url=http://en.wikipedia.org/wiki/Windows_Server_Update_Services]setup[/url].

Re:

[ashridah]

Those popups actually run as SYSTEM, (which is why you can't get hyperlinks in them, incidentally) so you can still apply updates through them. Means that the updating tool needs to be careful, of course.

ash

Over All...

[jellomizer]

I am not to suprised I would think this is constant 95 out of 100 Linux boxes are missing security updates 95 out of 100 Macs are missing security updates.

Re:

[shadylookin]

I doubt that, quite a few linux boxes are used for servers which most people take special care to keep secure. It also may be a little bias, but I think most linux users are more likely to get updates since installing linux is a conscious choice and they probalby have a little more knowledge than the average Windows

Re:

[jammo]

If it ain't broke, don't fix it! As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall why ever update it until you want to actually update the stuff it is serving. Most updates seem to slow things down these days. I only need to run a server or 2 on a box, maybe KDE or whatever, if the desktop is going to behave and not force me to retreat back to command line as some mime type change I made fancied opening an html file in some crap like kwr

Re:

[JimCDiver]

Couple hundred sun boxes at work. We still have some running Solaris 5.5. We absolutely do NOT update unless it is required for a business reason... and then it has to all go though Change Management so guaranty its not going to castrate a couple million mail boxes. I think the DST fiasco last year costs us a few hundred man hours.

Re:

[SanityInAnarchy]

As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall

Or my server could be an updated firewall.

At the very least, you want to keep sshd up-to-date.

Most updates seem to slow things down these days.

Plenty of updates speed things up. See Ruby.

I have plenty enough unix knowledge to know that that odd libmcrypt version update out of sync with mhash or whatever means I have to reinstall a server

Wow, your distro must suck.

Sales FUD

[MeanMF]

They're looking at EVERY piece of software installed on the computer, not the OS itself. They're doing this along with a very generous definition of "security update" to come up with hugely inflated numbers so they can better scare the clueless into buying their services.

Re:

[phantomcircuit]

Except this software is free for non commercial user.

Re:

[hurfy]

I think EVERY is an understatement. The stats come out to over 81 applications on AVERAGE per computer. Huh? Even counting the Acrobat reader which always screams for an update and says it may not be able to open a file just before it does so, i can't imagine what that covers.

Also have to agree with comment below...The security conscious/paranoid are not going to install a 3rd party app that reports their vulnerabilities back to said 3rd party!

Actually, flawed software

[NetDanzr]

I run Secunia's PSI, and I noticed a few flaws, which pretty much catch anybody. For example, it lists seven instances of Sun Java JRE on my computer, three instances of Adobe Flash and two instances of Adobe Reader. On top of it, it lists several instances of Macromedia Flash as "End of life" software. Obviously, all of those listed have been upgraded to recent versions, but the older versions either weren't properly removed by the upgrade, or Secunia never updated its database on my computer. Be it as

Re:

[initdeep]

if you have flash or java installed on Linux or Mac OSX you will also fall into this category.
The security vulnerabilities of a particular program do not always link to the specific operating system used.

There have been many instances of security vulnerabilities in Java, Flash, Firefox, etc which are non-OS specific, so please do not try to make this seem a "Windoze" only problem.

I myself have at least three linux machines which are probably "out-of-date" for at least one item. The real question is, is that

duhhhh....

[debatem1]

Anybody who is remotely worried about security is probably not going to download a tool that reports your security status to another organization.

Run Microsoft Update not windows update on windows

[Joe The Dragon]

Run Microsoft Update not windows update on windows system to get all of the windows base os + other APIs and runtimes + office updates.

Re:Run Microsoft Update not windows update on wind

[ucblockhead]

That doesn't help much if the exploit targets Firefox or Adobe Reader or Photoshop or iTunes or...

And Adobe update, and Java update, and Software...

[SanityInAnarchy]

And what will update my video drivers?

Oh, whoops -- nvidia doesn't have ANY automatic update.

So yes, Microsoft Update is a start, but until it's just a generic Update feature which all apps can hook into, it's pretty useless for keeping the whole system up-to-date.

Updates Slow Computer Down

[smist08]

Many people have a bad impression of updates. They know for sure that updates slow down the computer and they know for sure that updates have previously broken things. So you have a choice: 1. Install something that will degrade your computer (possibly making parts of it unusable) or 2. Don't install it and just hope that you don't open a bad email or something, after all practically speaking viruses aren trojans are quite rare.

How much of this is stuff people aren't using?

[DrData99]

With all the pre-installed trials and other crapware the comes with home computers it is likely that many of these unpatched applications are ones that are not really at risk since they are never used. I see this even at work, where we run regular vulnerability scans. You tell a user that they need to update and get told that they haven't used said product in .

Not worth it

[kemushi88]

Except for the occasional windows patch, I don't think most of the patches really offer much benefit for the casual user. Is a tiny reduction in your vulnerability worth the effort/time it would take to run the update software/visit the manufacturer's web site for every piece of software that you own? I think the article would be more powerful if it stated 95 out of every 100 crash/identity theft/virus attack would have been prevented by a patch.

Re:

[SanityInAnarchy]

run the update software/visit the manufacturer's web site for every piece of software that you own?

It's not so bad when they update themselves (Adobe, Java, Apple, etc).

But yes, having to visit the manufacturer's website is bad. That's why we have this concept of a "package manager" on Linux, and why we're still so confused that people think it's more complex to install and manage software on Linux than on other systems.

Actually, I lied, there are currently two package managers I have to keep track of: D

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[adolf]

I've heard of appget before, so this question might have an answer which is obvious to some, but:

What prevents me (or anyone else) from submitting bogus and/or malicious download links?

Re:

[account_deleted]

Comment removed based on user account deletion

I should be safe ...

[WoodstockJeff]

... Windows Update tells me that the only update I need is "Windows Genuine Advantage", which I don't want, anyway. No other updates needed, since Microsoft told me that WGA wasn't necessary to get security updates... just "new features".

Yeah, right....

You call them security updates

[WillAffleckUW]

We in dual-boot land call them "driver downgrades".

Just look at the "fixes" in MS Office 2003 in the last SP.

Those removed the ability to open older spreadsheet formats we still have data stored in, so we had to roll them back.

And most of the fixes were already done when we switched to the more secure Firefox as our default browser and got rid of all Outlook instances.

Re:

[ribond]

note that they just offered a fix to allow the older spreadsheet format to work after the update.

A free system level common update system is needed

[Joe The Dragon]

MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

So what you're saying is...

[SanityInAnarchy]

Ripping off Sudo was a good start, but they really need to learn some lessons from Linux package managers.

OS X has the same problem, by the way. Linux distros are really the only place you see a system-wide package manager.

Re:A free system level common update system is nee

[initdeep]

So Microsoft should be responsible for all the updates for every POS crapware and trialware and Bonzi Buddy program out there? And they should provide this to free to every person who wants to include their updates in the program? And none of these "altruistic programmers" would EVER try to sneak their potential spyware updates into the program at all would they.
And no one would blame Microsoft if they did provide this and somehow, someone installed spyware on every machine that used to program.

Yeah, that m

Re:

[Joe The Dragon]

First you should be running Microsoft Update and you need to be admin for it to fully work. They must of changed windows update / Microsoft Update to some what work with runas in the pass you got the admins only page / updates failing to install.

Yeah I'm usually a day or two behind myself

[davidwr]

Most auto-update applications have something like this:

Check for updates:

*once a month
*once a week
*once a day
*every time you run it

OK the last item is missing from many applications. I bet most people run "unpatched" applications in the first hours after an update.

damned if you do damned if you don't

[davidwr]

Security updates are a damned if you do, damned if you don't situation.

Would you rather have the poison of known-broken code with a known exploit, or the possibly-good-possibly-fatal-poison of the latest patch?

For servers and users who run a predictable workload with a predictable exposure profile, "known code" is frequently the safer option. For users who surf the web randomly using IE with possibly-buggy firewalls and likely-incomplete virus protection, and who could trip over the next "MS just patched t

MS is partly at fault for this

[Anonymous Coward]

This isn't entirely the fault of users. One of my major complaints about windows updates is that they so often require a reboot. This is disruptive for any user, it's understandable that people would want to avoid that and "update later" (which is always forgotten). If windows updates were as minimally disruptive as possible (and I know for certain that reboots can be avoided almost always) users would be much, much more likely to allow automatic application of windows updates.

Re:

[Shados]

Updates that don't require reboot don't force you to reboot... I agree too many of em do, but its been a heck of a long time since I had to reboot because of windows update...

And personally, what I always do, is update, then just say "reboot later"

You get a popup every 4 hours (I wish it could be pushed to more than that, but bleh), and then just turn my computer off at night.

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown". I don't

Re:

[Heian-794]

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown".

This should have been implented many years ago. My XP machine at work literally interrupts you every half hour to ask you if you want to restart now. You'd think that after three or four "no, not now" clicks, it would get the message. No one likes to have their work interrupted, and even if I have time to flip over to Slashdot and take a little break, that doesn't mean I have th

Re:

[toddestan]

One of the nice things about Windows updates in XP is that you can have the system download them automatically, and then it will install them when you shut the computer down. I find it's pretty easy to keep up to date, just tell the computer to shut down at the end of the day and walk away from it. The next morning you'll have an up to date system.

Not scientific and potentially biased

[ClosedSource]

The report from Secunia is based on their users' PCs and thus is not statistically valid (has there ever been a statistically valid survey reported on Slashdot?). In addition, they have a vested interest in reporting a high number in order to promote their non-free version.

Pirates?

[__aaqvdr516]

I wonder...of all of these unpatched systems, how many were pirated? That was the big stink when MS briefly turned off updates for non-verified Windows installations. Maybe people are afraid to update their pirated MS Office stuff in fear of being caught?

ObligFilmRef

[secretwhistle]

Well, I wouldn't say I've been "missing" them.

They don't miss them.

[feepness]

They don't even know they are there...

Well Bob...

[Boydacus]

I wouldn't really say I've been missing my updates...

Re:

[DCTooTall]

Hmmm... Better option to drive it home to the public without causing MASSIVE damages....

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive. Hell... put those C&C servers to good use if needbe and proxy the connections so that it can even be a non-standard port for those ISP's that block po

Re:

[secolactico]

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive.

This could actually be more damaging than just deleting the files. Embarrassing would be just one result of exposing all this info. But you can probably get a lot of info from personal pictures to steal an identity or stalk/harass/hurt somebody.

Re:

[DCTooTall]

Sadly I could say that they probably couldn't get anymore than existing social engineering and phishing methods don't already get. It would also potentially help maybe force something to be done about the existing financial and credit system which allows it to be so easy to have someone screw up your credit, yet so hard to fix it.

(And sadly... I know from experience that it's also 100 times easier to get a stolen identity "fixed" in your credit, than it is to fix an error the credit agency made on th

Re:

[ToasterMonkey]

I really think this is one case where user education should be considered more important.

There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, a

Re:

[SanityInAnarchy]

Obviously 95% of people aren't doing this, so what do we change to fix that?

Here's what I'd do:

1. Remove the user from the equation (fully automate everything)
2. Not care what happens to anyone who disables #1

Re:

[SanityInAnarchy]

What does this have to do with OpenOffice?