Fewer than one in 50 Windows PCs are fully patched, according to stats from users of Secunia's new patching tool, which suggest surfers are becoming even more slipshod with applying patches over the last year. The final version of Secunia Personal Software Inspector (PSI) was released last week after 17 months in development. …
Loop , do
The problem with Windows patching is that it feels like a monthly game of Russian Roulette. Even if you follow good practice and ensure that they are tested internally it feels like no sooner are you done then another set appears in WSUS.
Sometimes its just easier not to fix what isnt broken. Oh hang on, this is Windows, it was broken out of the box.
Any one seen my desktop wallpaper of the Escher monks?
Its like with the increasingly annoying Firefox, eventually you get so tired of being bugged to upgrade/patch that you inevitably click "don't remind me again/fuck off"
Enable automatic updates? But then they'd detect my OS is slightly non-legit!
Explanation for increase in stats
As the blog entry says, tech savvy users who are already security-minded are likely to use the tool. However, this is even more prevalent when you're talking about a beta version - the tool was still a beta until last week - so it's natural to assume that the beta users' PCs were in a better state (albeit marginally) than those who only install "officially released" software.
It would be useful to be able to identify how many of the 20,000 sample size feature in both last year's and this year's statistics, and which category they fall into. Are the 98.90% of users with vulnerable PCs all first time users, or are there people who have been using the tool for a year and knowingly not patched their machines?
Mine's the cute little penguin cause he allows me to patch my PC without always having to reboot the damn thing.
Not a random sample
Beta version: Only used by early-adopter security geeks.
Release: Used by slightly less geeky people, maybe even the odd "normal".
Shock News! Security geeks more likely to be secure than normal people!!!!!
It's because of P2P
muTorrent now uses UDP instead of FTP, which destroys the intarwub. That's why I can't patch: the P2Pers have eaten all my interbytes. Kill'em.
Also, I don't crawl Windoze, which is a serious step towards a safer networking...
I think they're reading too much into their results and that you fell for it. What it seems to be doing in my case is finding ancient redundant registry entries, and old, mostly-empty folders that are left behind in 'program files' after programs have been removed or replaced.
I wonder if much of this is down to SP3
I for one haven't yet upgraded due to incompatibility with opengl on my laptops Intel on-board graphics.
How did Reg fair then?
"It's a neat utility which we, having used it for the last few months, have no hesitation in recommending."
So how unpatched were your PC's then?
in other news (totally unrelated news)
With Safari being pushed out with every itunes\quicktime update. I'm sure the number of insecure programs are going up everyday.
TBH I'd like to think I'm in the 2% and unlike "Loop,do AC" who doesnt seem to have used a windows box this century. updates are getting to be far less frequent on vista and far less obtrusive than they were previously.
People dont want updates but they do want a secure system. Somethings not right there.
Patching a Windows system can be a nightmare! There is no central update system or equivalent to yum or apt. M$ have their Microsoft Update service, but it's only good for M$ products and some (but not all!) drivers.
And then yes, as AC said - you get almost every bloody app running it's own scheduling engine to run it's own updates and most of the time it does this WITHOUT BLOODY TELLING YOU!! Yes I am looking at you Sun - Java update that in update 10 cannot be disabled!! At least Apple now ask you if you want automatic updates; and please don't get me started with Real Player *shudders*. I spend half my time after setting up a Windows machine removing these auto-updaters just so the machine is not bogged down.
What Windows needs to address the patching problem is a single, reliable, SECURE update service where all program updates for all programs can be located. Whether this should extend to games as well... I don't know (Steam does well enough on its own), but certainly for businesses this would be a massive benefit.
Software devolopers to blame?
I have never quite understood why so much software are open to the Internet? I have even a harder time understanding why I am never asked about if that is something I want, or told how I can terminate the access. I have no use for Adobe Acrobat Reader having access to Internet, I use it to open documents I have stored and documents my web browser downloads and sends over to it. The only software I use that have to have access are a few games and my web browser. I just do not want to use Winamp as a web browser.
Okay, there probably is some overflow errors that can be triggered with specially made media files that opens in different programs. Correct me if I am wrong about this because I am no oracle on this, but surely most security risks void be avoided if the program didn't have access to internet nor had any actually active code that wanted access or listened on any ports?
For the software devolopers out there: If you are making such programs, give me the "I do not want this program to have any access to Internet. That includes, but not limited to, any search for automatic updates that can be hijacked, reports on my use of the program, download of new skins and news about exiting new features, and so on. In essence I want this program to stay put and run silent."-option.
Nice little utility. It found that I had a couple of things I rarely used that weren't up to date and steered me to the updates with the minimum of effort.
If I understand this correctly...
They are gathering stats on how much unpatched software there is on users' systems, not on the OS. Bearing in mind that the average PC is going to have a fair amount of software installed which is not used on a daily basis, and that most software only checks for new patches when run (e.g. Firefox, Acrobat, etc.), it is hardly surprising that ther will be installations which are not fully up to date.
Forgive me if the whole thing seems like marketing FUD to sell me yet another product I don't need...
it finds lots of unsafe applications.. albeit nothing wrong with windows..
I guess its time to tackle application software providers , and not microsoft ...
Windows Patching is not abysmal.
Windows end users are abysmal at patching.
Waste of Time
I removed Secundia from my computer - it found 5 "security" risks: 4 from a previous version of Java tools, all fully patched, and the 5th was a 2008 version of AV software, again fully patched, after the vendor had released their 2009 version.
@ Anon Cowards
"Roughly a third (30.27 per cent) of users of the software scanner are running between one and five insecure programs, while a quarter (25.07 per cent) were caught out with between six to 10 packages that need patching on their systems. Almost half (45.76 per cent) had more than 11 insecure software packages on their computers."
If you care to read the article rather than the headline you'll realise that nowhere does Secunia mention Windows patching, rather insecure programs.
For example, I can have a machine fully patched and up to date from MS (as it's all done automatically I wouldn't even know about it), however I may not be running the latest version of Adobe Reader or iTunes.
Prehaps I'm using Firefox which requires security updates about as often as IE.
Or maybe the version of Google Desktop I am running isn't the latest....
The point I'm making is that Secunia are talking about insecure applications. They are not talking about the number of patches missing, or just a particular application. For all you know the people doing the scans that these results come from have the latest Microsoft patches installed, but simply have a number of 3rd party apps that are not up to date - such as the ones I mentioned above.
No surprises here then
So they sample users who willingly download "Check your PC Security for FREE!!!!1!!" software and notice that those users have insecure computers? Well duh.
I don't know if it's the IBM Access connection on my R52 ThinkPad, but when I installed it just now it blue screened XP Pro.
After it rebooted none of my network connections worked, cabled or WiFi... Even worse PSI wasn't even showing on the add/remove programs list. Luckily, just I was considering a manual through the registry removal (eeek), I spotted it had an uninstall exe in the program directory (no shortcut on start menu).
I removed it, and after a reboot, my networks came back.
I don't think I'll be trying it again in a hurry!
Fairly nice but...
In it's default install mode it tells me this:
"Congratulations. You have removed all security threats detected by the Secunia PSI from your PC."
At which point 95% of non-techy users are going to breathe out and stop reading. It then goes on to say:
"Note. You have updated all of the programs installed on your PC that exposed it to security threats and which were easy to patch. Normally, these programs are also the ones exposing your PC to the greatest security risks. However, you should be aware that 5 other program(s) were also found on your PC requiring attention as well. Unfortunately, these programs are likely more difficult to patch. If you feel comfortable with e.g. uninstalling software, deleting files on your PC, then you may enjoy the "Advanced" interface"
So which is it then? What's the point in a security app that doesn't flag up a proportion of issues by default because it deems them too awkward to put right.
As B5 Commander Jeffry Sinclair said ...
... "So, what's your point?"
Lack of regulation
Problems for the computer literate:
1) Some of us are still using PCs with 2k installed - which isn't supported by the latest versions of some software (eg Quicktime). Is anyone offering to pay for XP upgrade and extra RAM?
2) The new 'secure' versions of some software are less stable and more bloated than older versions.
3) Newer, more secure versions of some freeware / shareware have fewer features than previous versions (eg dB PowerAmp doesn't have free mp3 re-encoding, but earlier versions do).
4) The only realistic way to keep patched is to allow all those automatic updaters freedom to do what they want (ie install Safari when you're not paying attention). It's too easy to forget to untick the 'Install Yahoo toolbar' etc options on things like Java.
5) Legacy software sometimes needs legacy versions of plug-ins to run properly.
There's no easy way to address these and similar issues - companies like Adobe could be forced to ensure full backwards compatability with obsolete OSes, or made to continue patching up older editions of their software long after they've been replaced by new versions, but this would be impracticable. Plug-ins and OSes could have deadlines built in to turn the software off and so prevent it being insecure - but this would enrage many users.
My suggestion would be for the governments to licence software and require it to meet minimum security specs. Sure, no one can make 100% secure software, but I bet all the big software houses could afford to spend a lot more on ensuring security than they currently do. Medical drugs, food, toys, vehicles etc all have to meet specific safetly regulations - considering how many of us channel our personal details through our computers, shouldn't software with exposure to the web also be regulated. This wouldn't eliminate the problem, but should dramatically cut the need to update every month.
Need to reboot Windows after using WU?
First of all, not *all* updates require a reboot, although I'll grant that a fair majority do. Secondly, even if they do, the 'forced reboot' can easily be disabled via Group Policy Editor (labyrinthine and non-intuitive as it is, it's still a powerful built-in admin tool). As to which take effect regardless of no reboot and which require a reboot before becoming active I couldn't say, but I'm going to try this tool and see if I concur with its results.
there is an easy way to terminate the Internet access: pull the cable out of your computer. Better still, turn it off. And don't turn it on again
Bad reporting by PSI?
Just tried it and it reported several "problems" that were not true. E.g. saying I need to update Opera to the version currently in use!
So can we trust those stats at all?
Java, Firefox, Flash...
Rather than test software before release - microsoft, like ALL THE OTHER FEKKERS listed in the posts above, opts instead to have regular contacts with your computer. Few people have read the EULA but it goes something like this... "when you install this software (note that's "software", not "Operating System" you no longer own your hardware, or your internet connection or any other software on your computer... now then... would you like us to keep interrogating you every 2nd Tuesday?"
This creates a number of different types of people... Those running illegal copies of Windows, those running low spec internet connections, those with internet caps, those who haven't got a freeking clue, those who have legit windows installs but manage to be blacklisted by the authentication check, those who get bored with the constant reminders to reboot a machine that was working absolutely fine until the freeking update came along, those using OS's other than windows and those who get there updates by a means other than automatically.
So that leaves just sheep with legit windows and psycho freeloaders with open keys (like me) to make up the 1 in 50... I think they have overestimated the uptake to be honest... and soon I'll be all Linux and that will drive the numbers down to 1 in 100.
You download the updates & youre server/PC dosnt boot what fucking use is that?
Ive had more grief and crap than any potential threat or attack has ever done than bloody windows malware junk.
ech savvy users who are already security-minded are likely to use the tool...
Er, could it just be that the people who will blindly download and run a "security" utility from the web are exactly the people who are not security concious and therefore aren't patched?
False positives so false they don't exist
This tool tried to tell me I have a copy of Acrobat Reader 3.x installed. I don't think I've ever used Acrobat Reader 3, much less had it in the same room as this computer.
It also sent me to a patch for MS Project that I already had installed.
Very misleading . . .
. . . although I'm not sure whether it's Secunia of El Reg mis-quoting.
PSI scans all files - whether software is installed or not. For example - I have multiple MS Office 2000 problems because I have a folder containing the installation source. I upgraded to Office 2003 some time ago, but that folder is good for half a dozen "unpatched" warnings.
PSI also highlights several programs that are "end-of-life" but don't have any known security issues - simply later versions available.
Having said that, I still think the program is excellent, as long as you have the experience to evaluate the warnings. Does anyone remember BigFix? I think MS do a great job of patching Windows (shame they have to though!). It's about time we had another service that can do a reasonable job of looking at a wide range of other companys' software.
The system's the problem
The problem is that it's an awkward system. It's just not simple enough.
Look at OS X - you click on 'Software Update' and it lists what's new, explains what it is and tells you whether it will require a restart or not.
Windows is just too vague. You're never sure what they want to install on your machine and what it means. And you lose any confidence when they want to install 'Windows Genuine Advantage' crap.
Even if you've got a legit copy of Windows it sounds like malware dressed up in cheesy marketing speak.
Would you want to update if one of the updates was called "ANTI PIRACY PATCH (IF YOU FAIL OUR CHECK YOU'RE COMPUTER WILL BE DEACTIVATED"
Cos that's what it sounds like.
Any non-current version of Java on your machine will be flagged as a "Highly Critical" threat.
And almost everyone who has every installed an "updated" version of Java still has the old version installed, because Java doesn't uninstall the old, insecure versions when it give you a new version. Why not? Because the so-called "run anywhere" applications often have version dependencies, and if you don't have the 6 year old JRE installed, you can't manage your printer anymore, because the Java applet that it tries to deliver to your browser won't work in a current JRE.
POS, if you ask me!
Problem is 3rd Party Software, not Windows
I run secunia fairly regularly, and the problem is 3rd party programs like Firefox, Opera, Java Runtime, Flash Player, etc. It is not the case that only 1 in 50 PCs are not running Windows Update.
It's often a real pain to update these programs, particularly Flash and Java runtime. Very few 3rd party programs have a clean automatic update system, and when they try, they seem to do it in a very intrusive and stupid ways. For example, Adobe insisted on rebooting my machine after updating photoshop's clipart!
Secunia also seems to find reminants of old versions of programs that are difficult to remove. Certain programs like Flash do not remove the old version when you install a new version, and secunia will complain until you go to the trouble of running a specialized utility from Adobe that is required to actually scrub old versions of Flash. Is it any wonder only 1 in 50 people go to all that trouble?
Its fairly obvious why most machines are unpatched.
1- Most people hate the WGA false positives and dont want to mess up thier computers
2- Some people dont have unlimited bandwidth and dont want to waste it on patches
So often seems to go bad
The number of times updates get installed and then the computer reboots itself if I don't tell it not to. That's really not helpful as I leave my workstation on to do things in the background. I know it can be configured not to do this but that isn't the point - it should ask with a popup once and wait for my reply, without nagging every 5 minutes.
And then there was the optional nvidia update. I often get games keeling over so I updated that too. I got 3 graphics-based complete system crashes that day, after rebooting.
So yes, windows end-users may be abysmal at patching, but windows patching itself is not great.
If this experience is common, I'm not surprised people don't patch. Luckily for me I only use windows for games - all my browsing and serious stuff is linux based.
Personally, I'm rather addicted to my linux software, but it seems more and more, if they have the choice, end-users go with a Mac and I find myself agreeing with their decision. Yes, the hardware is overpriced, but there is so much more to using a computer than the hardware specs. Let's face it, with the exceptions of gaming (or running vista!) most new PCs are over specc'ed for what people need them to do.
Still can't install XP SP3
Having waited for a month after it came out (to wait for the problems to be sorted) I attempted to install XP SP3. Result - network printing breaks. After lots of experimentation the only solution was to back out the SP3 'fix'. The problem is I don't know what in SP3 is breaking network printing. I
Vista on one desktop is broken after installing patches back in the Summer. Every so often some process goes rogue and soaks up all the CPU and the system virtually stops responding. Trying to get to the Task Manager brings up a "can't create security options" dialog. The only way out of this is to reset the machine. A trawl of the web sees lots of people have a similar problem but apparently Microsoft know nothing of this problem. Vista is about to be replaced on the broken machine as it is completely unusable at the moment.
Actually seems reasonable to me
Installed on a VMware XP installation and told me some things about it.
Online scan of my corporate desktop XPSP2 got the green light with regards to being up-to-date on patches (my VM SP3 wasn't). Also picks up on many BHOs that people tend to not bother updating.....
Seems to do a reasonable job - the question is whether it adds value to the average home user? If they have to wade through false positives?
I'd like to think (hope) so.
El Pingu - because surely he's always up-to-date with patches ;)
The software is absolute crap, lists the latest version of Firefox as a security risk and not patched then recommends I download the latest (same) version of the software!
"My suggestion would be for the governments to licence software and require it to meet minimum security specs."
I like the idea but it will never happen.
Swapping out all those Windows boxes for an OS that meets the minimum requirements would just cost too much.
Keeping software up to date is essential and also surely one of the most irksome maintenance tasks for the average pc user. Even people who are aware of the potential consequences of failing to update usually have it tagged on to the bottom of their to-do list. I was that man, and I paid the price for my negligence.
Software Informer is an excellent freeware app that does the same job as Secunia PSI with scheduling options and a better interface. At the very least it gives a very clear picture of your exposure through negligence. Worth a try.
@ Alexis Vallance &Penguins & Mr K
I don't know what version of windows you last used but for Windows Update you click on 'Windows Update and it lists what's new, explains what it is and tells you whether it will require a restart or not - pretty much like OSX. Of course some of the updates will kill your pc (sp3 - I'm looking at you) but that's another issue.
As for those claiming that Linux never requires a restart after an update - it may be not nearly as often as Windows but it certainly ain't never.
Mr K - get a proper firewall and don't take the 'do it all for me' option - then ban those phone home apps from accessing the intertubes.
- Product round-up Coming clean: Ten cordless vacuum cleaners
- Product round-up Too 4K-ing expensive? Five full HD laptops for work and play
- Review We have a winner! Fresh Linux Mint 17.1 – hands down the best
- 'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
- Worstall @ the Weekend BIG FAT Lies: Porky Pies about obesity