Apple's Windows apps have leapfrogged Oracle Java as the biggest security risk to PCs in the US, according to a study by vulnerability management outfit Secunia (now a Flexera Software company). (This shift is mainly down to the forced retirement of aging Java 7 rather than any improvement by Oracle.) Secunia's latest …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Tuesday 27th October 2015 20:53 GMT Anonymous Coward

The way software is installed and updated in Windows is an absolute disgrace! The whole burden of installation, automatic updates, and removal is still on the developers.

Don't they have a decent package manager yet? Not MSI, I said decent.

[I had my own shareware title years ago]

7 11 Reply
1. Tuesday 27th October 2015 21:12 GMT Lee D
  
  It wouldn't matter.
  
  Every manufacturer deliberately chooses to do things in entirely different ways.
  
  Chrome updates within the browser itself AND has a scheduled task
  
  Adobe has an update service AND a scheduled task.
  
  IE is covered under Windows Update (if you're lucky) or - well - nothing at all.
  
  Quicktime has to be running Apple Update services and be in the taskbar to update properly.
  
  Your firewall and antivirus will have an update mechanism of their own.
  
  Basically, the tools are there - scheduled tasks can keep anything up to do on a user-customisable schedule.
  
  Now stop them, and then manually install an update. Bam. They're back, with their manufacturer's settings again. Kill the service? The scheduled task will restart it. Turn off the scheduled task? The service will still try to update. Try removing both? The next install or update will put them straight back.
  
  Either the user needs to be in control, or the software manufacturer. In Windows, NOBODY, no matter how well-intentioned does either. There are package management systems. Nobody uses them. There are updaters. Each manufacturer rolls their own (Flash in Chrome updates on a different schedule to Flash in IE, which is different to, say, Adobe reader, despite all being Adobe products).
  
  Like malware, manufacturers do this deliberately, because then it stays on your machine, shows up in their stats and "not having it" stops lots of stuff working.
  
  Let's not even get into that updates break stuff all the time on Windows, removing functionality and breaking existing features in the name of "modern" software.
  
  Provide an executable. Have it check for update on run. It's not hard. It doesn't need to update at any point until you decide to NEXT LOAD IT. Why bother with all the services and tasks and everything if you're going to be burdening your update infrastructure with unnecessary updates that the user isn't choosing to install anyway? Because it keeps the name alive.
  
  And, technically, Chrome and Firefox collectively stopped Java being the #1, by stopping it working in the browser. Oracle have done NOTHING about it - not to secure it, not to stop it, not to fix it, not to get it back in your browser using more modern APIs. They absolutely DO NOT CARE. That's the problem, not Windows. The situation is the same on many platforms for the same software. Java on Linux works because of things like OpenJDK, not Oracle.
  
  Similarly for Apple Quicktime. Nobody uses it, nobody cares, the installers and way it operates haven't changed in over a decade. The menu still appeared in Control Panel last I looked. Same for ActiveX sides of Flash player. Same for Java.
  
  This is legacy stuff that nobody cares about to even bother to GET WORKING again in a modern browser, or even create a fuss about it being forcibly turned off by the browser makers.
  
  That's the problem. Not that there's no viable update mechanism. If anything, there are too many, and the basic one that your AV uses is probably the best. Every now and then, check a website and suggest the user update. It's that simple.
  
  28 1 Reply
  1. Tuesday 27th October 2015 21:47 GMT Anonymous Bullard
    
    Chrome updates within the browser itself AND has a scheduled task
    
    To be fair, on Linux Google add their repository when you install Chrome... perhaps showing that Google at least would use the OS's built-in mechanism when available?
    
    As for the rest of the scumware, your point stands.
    
    It doesn't need to update at any point until you decide to NEXT LOAD IT
    
    No. There is nothing worse than to start an application in order to use it, only for it to make you wait while it downloads 250MB of bloat, make a restore point, reboot, etc. Defer the update? Yes, everytime... but what if you're just about to open a file that exploits the application that hasn't been updated for 2 years?
    
    8 0 Reply
    1. Wednesday 28th October 2015 08:25 GMT werdsmith
      
      See how the Ebook management software Calibre does it?
      
      That's how I like it done.
      
      2 0 Reply
    2. Wednesday 28th October 2015 08:51 GMT John Bailey
      
      "No. There is nothing worse than to start an application in order to use it, only for it to make you wait while it downloads 250MB of bloat, make a restore point, reboot, etc. Defer the update? Yes, everytime... but what if you're just about to open a file that exploits the application that hasn't been updated for 2 years?"
      
      Sure there is.
      
      Windows system updates.
      
      I've been spoiled on Linux for the last few years, so it was more apparent to me.. But the Windows system update system is comically hideous.
      
      Seriously.. I did a FULL OPERATING SYSTEM AND APPLICATIONS update just yesterday that took less time than the ordinary Windows system updates can take. And ONE reboot.
      
      One 3rd party repo to re-enable.
      
      One package to reinstall.
      
      Everything else unchanged.
      
      And no. It didn't nag me to update to the latest shiny. Didn't "helpfully download it's self", And I can even turn this notification off for ever if I like.. The presence of an OS upgrade is presented in the update application, but not forced.
      
      Windows:-Download patches. Fair enough.
      
      But don't dare to use anything, cos Windows is still crashy sometimes, and a misapplied update is not a new headache.
      
      Then reboot. And hope it comes back as functional. Cos if not.. Reinstall. And did you get disks with your computer? Did you heck. At best, you got an option to burn a set of install disks. But probably not.
      
      And when you reboot.. A potential second delay, followed by stage two installation, and rebooting, and restarting.
      
      Linux:- Hit the update button, and go back to doing what you were doing. I'm running an update right now as it happens.
      
      If something goes wrong, dust off a boot disk, and hit the forums to fix it.
      
      And the time.. Seriously. How long does it take to apply a patch? 20 minutes? half an hour? 2 hours?
      
      Has it crashed, or is it still going. You never know until it's done.
      
      If I turn it off while it is just sat there, will it recover, or will it bugger up my computer. I mean.. A progress bar, even a lying through it's teeth one, or even an "I'm still working" indicator would be a help.
      
      Genuine fact.
      
      I bought a reconditioned Thinkpad last year. And I swear.. The first week of use, I was spending more time patching Windows 7 than I spent using it.
      
      Every time I turned it on.. Updates available.
      
      Every time I shut down. Updates to apply.
      
      Booting Windows off it and putting Linux on made it into a new computer. A pleasure to use. Faster, smoother, and with less hassle all round.
      
      So sorry mate. How ever bad applications are.. And yes, I do remember how bad. Microsoft's very own update system is significantly worse.
      
      Windows users just don't realise how awful it is, because they have nothing to compare to.
      
      23 1 Reply
      1. Wednesday 28th October 2015 08:58 GMT Maventi
        
        "Windows users just don't realise how awful it is, because they have nothing to compare to."
        
        This.
        
        Have an upvote sir!
        
        13 2 Reply
        
        Wednesday 28th October 2015 09:03 GMT Anonymous Coward
        
        "Windows users just don't realise how awful it is, because they have nothing to compare to."
        
        Yes, I know! The fact that seemingly technical people actually stand up and defend it just beggars belief.
        
        7 3 Reply
  2. Wednesday 28th October 2015 10:04 GMT Anonymous Coward
    
    Lee D
    
    Well said, exactly why I like Linux and the one stop package manager repo philosophy.
    
    5 0 Reply
  3. Wednesday 28th October 2015 13:48 GMT Bob Dole (tm)
    
    I wholeheartedly agree - that is the problem.
    
    Windows Update was a great idea that just didn't go far enough. They should have opened it up and encouraged software manufacturers (other than driver providers) to use it. I like Windows Update, or at least did when it was still publishing at least some details about what it was updating.
    
    I have to say that Apple did a really good job with their store. When a company updates their software I have the *option* of downloading / installing the update. I don't have to check a different place for each app on my phone. Just the one.
    
    2 0 Reply
    1. Thursday 5th November 2015 13:56 GMT Tom 13
      
      @Bob Dole (tm)
      
      I like Windows Update, or at least did when it was still publishing at least some details about what it was updating.
      
      This x1000!
      
      I'm not so sure about expanding it to other apps though. Because it's a service provided you take on risk for enabling the update and don't control the software. You could setup some sort of QA program, but then you wind up hiring staff who need to know a bit about the programs. At which point even if you can setup the Chinese air walls to comply with FTC regs, you still have the problem of vendors not trusting MS with any details of their software because of past behavior. Part of the reason it works for the driver market is those QA programs are already in place and the maker of the driver isn't selling the driver, he's selling the hardware the driver enables. He doesn't much care if MS knows his algorithms, only that his hardware competitors don't. Well at least as long as MS stays out of the hardware business.
      
      0 0 Reply
  4. Thursday 5th November 2015 13:47 GMT Tom 13
    
    Re: Similarly for Apple Quicktime. Nobody uses it, nobody cares,
    
    Not quite. If you run iTunes (just about the only thing Apple really makes for Windows) you need Quicktime.
    
    The updater is easy enough to leave in place and turned on, but it has a problem. Since Apple is accustomed to their drones living inside their walled garden, they just update the list of things your updater installs without asking. So if you only want iTunes and Quicktime to support it you still get iCloud and whatever else happens to catch their fancy that week. And when one of them breaks during an update you have to manually uninstall the whole fricking Apple stack to fix it.
    
    I run Secunia's PSI. It's a decent tool. Configured correctly it will keep your system in the 97%+ current status excluding EOL software (yeah I have some, DVD burner software because I don't actually do it that often and I'm not paying for a new copy every 3 years). It does sometimes find issues that require manual intervention. I recall one dll problem related to one of MS's C+ modules that kept showing up on the scan as needing an MS update, but my when checking with MS update no update would appear. I had to dig down into the directory with the file and delete it.
    
    0 0 Reply
2. Wednesday 28th October 2015 12:39 GMT Anonymous Coward
  
  "The whole burden of installation, automatic updates, and removal is still on the developers."
  
  You obviously haven't used the Windows Store yet. This was fixed back in Windows 8.
  
  "Don't they have a decent package manager yet"
  
  Windows Installer and App-V are way way ahead in terms of capability of anything I'm aware of in the Open Source world. For instance how do you stream parts of applications on demand in the background as needed while the rest transparently installs under Linux then?
  
  1 13 Reply
  1. Thursday 29th October 2015 23:41 GMT Trevor_Pott
    
    Windows Store only allows for broke-ass Metro apps, and Microsoft takes a scrape off of every sale.
    
    Far fucking cry from Linux.
    
    3 1 Reply
    1. Thursday 5th November 2015 13:58 GMT Anonymous Coward
      
      "Windows Store only allows for broke-ass Metro apps"
      
      What has a donkey that has run out of money got to do with it? Or did you mean broken-arse?
      
      And that's not true - desktop apps can be published if they pass the certification process.
      
      "and Microsoft takes a scrape off of every sale"
      
      So does any retailer selling software. There is no charge for free apps.
      
      0 3 Reply
      1. Thursday 5th November 2015 14:05 GMT Trevor_Pott
        
        The certification process being "look and feel like and be as broke-ass as Metro apps". The "desktop apps" that are certified in Microsoft's carnival joke store might use different APIs, but Microsoft forces them to be uselessly broken to the point that they are functionally no different than the useless Metro apps. And don't get me started on how this is a problem for companies wanting to distribute software internally only.
        
        A YUM repo is superior in every possible fucking way to the Windows store. Every single possible way.
        
        The Windows store - like Windows 8 and 10 - is a blight on the history of IT. I hope the damned thing digitally burns down.
        
        2 1 Reply
        
        Friday 6th November 2015 11:10 GMT Anonymous Coward
        
        "broke-ass"
        
        Broke as an adjective only means out of money. You mean broken.
        
        0 0 Reply
3. Thursday 29th October 2015 16:26 GMT Daniel von Asmuth
  
  The way software is installed and updated in Windows is an absolute disgrace!
  
  The disgrace is in the idea that software should be patched regularly. If software is good, keep using it indefinitely. If several bugs have been patched recently, your best guess is that some unpatched ones remain, so you should refrain from using unsafe software like Windows, OS/X or Linux.
  
  3 2 Reply
Tuesday 27th October 2015 21:31 GMT graeme leggett

itunes unpatched

Is it because a load of people installed itunes to use with their iphone, got quicktime installed alongside.

Then discovered it was impossibly unpleasant to work with, gave up and never used it again.

14 1 Reply
1. Tuesday 27th October 2015 23:19 GMT Grikath
  
  Re: itunes unpatched
  
  And all the other things Quicktime gets/got co-installed with. Quite often *without* an opt-out box..
  
  2 0 Reply
  1. Wednesday 28th October 2015 09:42 GMT Philip Lewis
    
    Re: itunes unpatched
    
    ... and now iCloud for windows needs tha Windows Media components installed AND enabled befor it will install!!? WTF is that all about?
    
    2 0 Reply
Tuesday 27th October 2015 22:36 GMT An0n C0w4rd

Puzzled

secunia PSI warns you (and also scans once a week by default) about out of date software. So I'm puzzled by people who have PSI installed and don't keep up-to-date. They clearly had/have an interest in patching their systems, else why install PSI in the first place? Maybe the Windows habit of hiding tray icons by default contributes to delinquency?

3 0 Reply
1. Wednesday 28th October 2015 06:33 GMT Robert Helpmann??
  
  Re: Puzzled
  
  Good questions. PSI actually will throw pop-ups from its tray icon when things are changed or require updates. PSI can be configured to allow users to handle updates, though most accept the default of running automatically. Just the same, PSI cannot automate everything and automatic updates sometimes fail. This applies especially to anything handled by Windows Update for which PSI simply redirects you to Microsoft's update service. Finally, you may have noticed the article mentioned that some versions were no longer supported and fell into a different category altogether (presumably including Windows XP), so there is an entire class of issues that cannot be addressed by the software.
  
  0 0 Reply
2. Thursday 5th November 2015 14:05 GMT Tom 13
  
  Re: Puzzled
  
  Well one of the things that sometimes remains on my unpatched list for a while is LibreOffice. Secunia can't download and install the update so it waits until I have an hour or so to sit with the box and patch it (If I patch one thing the WHOLE damn thing is getting done including new scans until only EOL stuff is on the list). I'm not overly worried about it because even though I like the software, I know it doesn't have wide adoption. And I don't use browsers all that much. Truth be told, it's mostly a quick check of my gmail so it's a very low risk site from the malware perspective.
  
  I know I've seen other things that applied to as well, but I can't recall what they were now.
  
  I also sometimes see "update pending" messages for things that should have been patched. So I manually patch them instead.
  
  0 0 Reply
Tuesday 27th October 2015 22:38 GMT jnemesh

The biggest risk to Windows users...

Is Windows itself. Just say no and move on to a better OS already!

13 18 Reply
1. Tuesday 27th October 2015 23:23 GMT Grikath
  
  Re: The biggest risk to Windows users...
  
  Your tears of rage and impotence fuel my spaceshi... oh wait that's a different forum.. :P
  
  7 0 Reply
Tuesday 27th October 2015 23:32 GMT Anonymous Coward

I would use java except that threadpools are forced on you. Apparently one person is largely responsible for that code and that it is highly complex and impossible for other experts to understand. A big plate of spaghetti. I find that java completely flakes out if you combine threads and even modest scale memory requests (say 1Mbyte or above). If you don't make the memory requests everything will run fine.

0 1 Reply
Wednesday 28th October 2015 01:10 GMT David 132

Why don't people update?

Reasons why people don't update software on their systems:

1) Apathy/Ignorance

2) Hassle and inconvenience of patching/updating mechanisms

3) Preference for the older version.

The first reason will always be with us, and user education - and auto-update systems - are probably the answer for them.

Plenty of attention has been paid to (2) - see comments above - but I think that's a red herring.

Speaking for myself, if a new version of software is compelling and offers added value, I don't care if I have to manually download it and install it, I'll still do so.

Which leads me to the third reason, which is one I don't think is appreciated.

We've seen a trend in recent years for new versions of software to be qualitatively worse than older versions. Gone are the days when new versions were automatically better; now, they're often an excuse for the developer to foist their own ideas about user interface, micropayments, or workflow.

Examples:

iTunes 9 (I think?) which got rid of the Coverflow view for album art. Many people (myself included) liked "flicking through" our collections in this view to choose tracks. Gone. Not coming back.

Windows 8 / TIFKAM, need I say more.

Microsoft Office and the Ribbon interface.

Solitaire/Freecell in Windows 10 - "watch adverts or pay us $10 for this formerly free game".

These are all examples of software that the developer - and perhaps a large part of the user base - thinks have improved. But if you're someone who likes Coverflow, or the Windows 7 Start Menu, you'll fight tooth and nail to keep them.

It's a simple calculation: if I move to new version of Application X, I will lose <feature I like>. If I stick with the old version, I might be attacked. But I can mitigate against the latter.

Perhaps there's an argument to be made here for abstracting the user interface part of an application from the underlying security framework, such that the same security fixes can be easily made available for previous versions of the app (i.e, patching Windows 7, iTunes 8, Office 2003 etc against 2015 vulnerabilities). But there's little-to-no ROI for the vendors there, so I can't see it happening (more than the grudging extent they do at present).

10 0 Reply
1. Wednesday 28th October 2015 08:49 GMT Gene Cash
  
  Re: Why don't people update?
  
  You forgot:
  
  Manufacturers trying to ram other things in, disguised as an update. For example, browser toolbars and Windows 10.
  
  6 1 Reply
2. Wednesday 28th October 2015 09:22 GMT tony2heads
  
  Re: Why don't people update?
  
  Number 2) - inconvenience is the big one for me.
  
  I remember having to give a presentation once with a Windows system and it insisted on a huge update while I was doing the intro.
  
  After that I used a Mac or Linux box. Do the bloody updates when I say so, without umpteen reboots
  
  5 2 Reply
  1. Thursday 5th November 2015 14:22 GMT Tom 13
    
    Re: I remember having to give a presentation once
    
    That's all on you, not on Windows. It was your job to make sure the machine was ready before you did the presentation. Yes, that includes making sure everything was up to date.
    
    0 0 Reply
Wednesday 28th October 2015 01:40 GMT a_yank_lurker

Updating Software

The issue is that most users do not update the installed applications and do not remove those which they have not used recently and are unlikely to ever use. Part of this is there is no convenient system for the user to manage updates, installs, and removals from a Windows box. The major mistake is to assume the users are all that proficient. Any OS level system that makes updates relatively and painless for the users will likely be accepted.

The problem with multiple updaters running is they compete with each other and operate completely independently of each other. Windows is long known to require reboots after updates and multiple, independent updates means its highly likely there are multiple reboots.

2 5 Reply
1. Wednesday 28th October 2015 08:35 GMT Pascal Monett
  
  Windows requires rebooting when updating Windows components.
  
  I've had Microsoft Security Essentials, Firefox, Windows Defender, Notepad++ and a host of other programs update themselves and the worst that happens is that the program restarts.
  
  1 0 Reply
Wednesday 28th October 2015 08:09 GMT FrankAlphaXII

Apple? really?

I'd have still figured it was Flash.

3 0 Reply
Wednesday 28th October 2015 08:42 GMT Anonymous Coward

It's luser error in running Windoze obviously. I wuv you AAPL.

At least that's what a fanboi told me earlier

2 4 Reply
Wednesday 28th October 2015 11:36 GMT Herbert Meyer

because they cost money

"About one in 20 application installations on private US PCs are at their end-of-life, according to Secunia. That means the packages are no longer supported by the vendor and do not receive security updates."

The replacements would cost money, and require dogbrain users to re-learn how to abuse the product. So the old versions live forever, and tech support generates new virtual machines to conceal reality from the senile apps.

1 2 Reply
1. Wednesday 28th October 2015 13:09 GMT Grikath
  
  Re: because they cost money
  
  That may be true for business applications, which do tend to represent a significant investment for a company, but this is the stuff that is Free... In case of some you have to actively employ Scorched Earth techniques to keep your system free of them.
  
  So I don't really think your argument about money and dog-brained users would apply here.
  
  "Woof" by the way..
  
  1 1 Reply
  1. Thursday 5th November 2015 14:32 GMT Tom 13
    
    Re: because they cost money
    
    Nope, that EXACTLY why I have an EOL programs on my home system. It would be another $80 (every three years) just to fix something that OUGHT to be a utility in the OS. My monthly budget is down to my last $30.
    
    0 0 Reply
Wednesday 28th October 2015 22:09 GMT Anonymous Coward

*What* Java?

Is "Java" about stand-alone Java (JRE/JDK) or (as I strongly suspect) about the Java browser plugin??

Yet another El Reg article which does not make this difference clear...

0 2 Reply
Friday 30th October 2015 22:11 GMT altonius

QuickTime update only for Windows Vista and 7

I've been looking at the Secunia report, and it looks like part of the problem is that Apple state that QuickTime is only for Windows Vista and 7. Those with Windows 8 and above are likely to have problems auto-updating to Quicktime 7.7.8.

1 1 Reply
1. Thursday 5th November 2015 14:41 GMT Tom 13
  
  Re: QuickTime update only for Windows Vista and 7
  
  Nope Secunia takes that into account. Bought a new laptop for my mother last week and was doing the updates (now I can officially say I've worked with it and it's dog barf). After I finished MS updates I installed PSI and got a clean scan. No, I wasn't installing Apple related stuff, but they moved Flash into the OS as well, and it didn't show up in the Secunia scan.
  
  0 0 Reply