Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

95 Of Every 100 Windows PCs Miss Security Updates

timothy posted more than 6 years ago | from the vested-interests-rational-fears dept.

Security 126

An anonymous reader writes "From Computerworld today: 'Nearly all Windows computers are likely running at least one unpatched application and about four out of every ten contain 11 or more vulnerable-to-attack programs, a vulnerability tracking company said today.' The new data comes from Secunia's free security-patch scanner the Secunia's PSI. The complete data run-down is available here."

Sorry! There are no comments related to the filter you selected.

Hang on- (5, Funny)

Naughty Bob (1004174) | more than 6 years ago | (#21992540)

Well shit! this would explain all that stuff about windows and viruses I keep hearing about....

Yeah well guess what (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21992542)

I have some advice, which is redundant. So I'll let you gueess what I am going to say.

Well, 99 out of 100 (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21992548)

niggers missed their humanity updates.

Grow up, niggers.

Sounds like like Lunix, OSX (5, Insightful)

Anonymous Coward | more than 6 years ago | (#21992572)

So the point isn't about Windows... the point is about users.

Re:Sounds like like Lunix, OSX (-1, Flamebait)

superbus1929 (1069292) | more than 6 years ago | (#21992778)

Who modded this to flamebait? Who gave the retards the mod points? Lusers are the weakest link in IT. This is a common fact. But since this isn't flaming Windows, it's flamebait?

*Watches karma drop like a rock*

Re:Sounds like like Lunix, OSX (5, Interesting)

Architect_sasyr (938685) | more than 6 years ago | (#21992828)

I don't know why this was modded flamebait, maybe because the AC says "Lunix". The point *is* about Lusers, that is the WHOLE point. I for one know that the only reason my Mac users update their software is so that they can have the latest and greatest, the Linux guys in the office don't update their software. This is actually good because I rely on exploits to gain remote control over some of those machines which are *technically* out of my jurisdiction. The windows users all update their software regularly. Why? Because I built a WSUS server and FORCE them to via group policy. Fully 85% of them hadn't done a single update till I forced this out (note: only recently stepped into this role, so not my fault!). I know most of them don't do it at home.

Linux users, OS X users, hell even me and my FreeBSD boxes are just as bad. It's a PEBKAC and has nothing to do with what OS you run.

Re:Sounds like like Lunix, OSX (2, Insightful)

Naughty Bob (1004174) | more than 6 years ago | (#21992970)

Agreed it's a PEBKAC, pretty much the only predictable thing when designing software it the likelyhood of humans, with all their crazy ways, using it. That's why this story is really about how effectively software producers anticipate, discourage, and otherwise strive to design out situations like the one described. MS may be evil, but it's not the point here for sure. The point it that they don't take a cogent, cohesive view of the whole social engineering side of their business.

Re:Sounds like like Lunix, OSX (2, Interesting)

techno-vampire (666512) | more than 6 years ago | (#21993012)

...the Linux guys in the office don't update their software.


Considering what you say later, I presume you think this is a Good Thing. If you want them to stay current with updates, use a distro such as Fedora that has a built-in update feature. Of course, using it would require the regular users to have the root password, or have somebody come through to enter it, but the same thing's true about Windows boxen and the Administrator password.

Re:Sounds like like Lunix, OSX (0)

Anonymous Coward | more than 6 years ago | (#21993298)

Have you never heard of `sudo`?

Re:Sounds like like Lunix, OSX (2, Interesting)

techno-vampire (666512) | more than 6 years ago | (#21993598)

The Uptodate program in Fedora runs automatically in X, and prompts for the root password. Sudo, although a good program, wouldn't help here. (Having the program suid to root would work, of course, now that I think of it.)

Re:Sounds like like Lunix, OSX (2, Insightful)

swimin (828756) | more than 6 years ago | (#21994768)

Please look up gtksudo.

Re:Sounds like like Lunix, OSX (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21993038)

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching. Would it matter in the slightest if everyone patched themselves anyway? Exploits in Windows are a dime a dozen, I just make sure to have a secure connection, avoid IE and block scripts by default, keep my AV and spyware removal tools varied and up to date and completely ignore Windows service patches.

Re:Sounds like like Lunix, OSX (1)

ichigo 2.0 (900288) | more than 6 years ago | (#21995018)

Most worms/viruses in the wild are based on reverse-engineered security updates, so keeping your computer up to date is a Good Idea. I have no idea how well anti-virus scanners work, but since XP came out I have relied exclusively on security updates, a hardware firewall, avoiding IE and suspicious software without any problems. OTOH the contents of my computer are expendable, so I'd rather wipe everything and reinstall than spend a large portion of my computing resources on real-time anti-virus software. Hell, as long as a virus uses up less resources than an virus scanner I might even let it live, I'd still be ahead.

Re:Sounds like like Lunix, OSX (1)

tsa (15680) | more than 6 years ago | (#21995688)

My thoughts exactly. I hate virus scanners with a passion. They are responsible for so many lost hours they're really not worth the trouble. Every thursday morning my computer is unusable for about 20 minutes because it has to check it's viruses. That's 40 weeks a year 20 minutes, makes about 13 hours lost time. I cost around 100 euros an hour, so that's 1300 euros down the drain. Nice work, Norton!

Re:Sounds like like Lunix, OSX (0, Offtopic)

tsa (15680) | more than 6 years ago | (#21995698)

And drat, it's "its", not "it's" in '...check its viruses.' I never thought I'd make that mistake. AAaaarrg!

Re:Sounds like like Lunix, OSX (0)

Anonymous Coward | more than 6 years ago | (#21997232)

dumbass faggot.

Re:Sounds like like Lunix, OSX (1)

MrAngryForNoReason (711935) | more than 6 years ago | (#21997542)

Every thursday morning my computer is unusable for about 20 minutes because it has to check it's viruses.

Wouldn't it make more sense to schedule a scan on Thursday afternoon at whatever time you finish work and set it to shutdown the machine on completion?

I have my anti virus program set to run at 5pm every day. If I am working later than 5pm then I either just cancel it safe in the knowledge that it will run the next day or let it run in the background, with a dual core processor I find the performance hit is negligible.

Re:Sounds like like Lunix, OSX (1)

darthflo (1095225) | more than 6 years ago | (#21997838)

Whoa. You cost 100 an hour, (apparently) work in IT and still use Norton? Masochist.

Re:Sounds like like Lunix, OSX (1)

1u3hr (530656) | more than 6 years ago | (#21995538)

Bah, I'd say even of those 'in the know' 95% are jaded cynics like me who have never and will never believe Windows to be magically secure after an update and really can't be bothered patching.

My PC runs Win2k, my wife has an XP laptop. I've updated both to the last full service packs, but not any of the incremental patches. I hide or delete IE and Outlook, have a router and software firewalls. In 6 years no virus or exploits. And yes, I would know -- in previous discussions people smugly say my PCs must be zombies and I'm just too dumb to notice. If you don't believe me, sorry.

Re:Sounds like like Lunix, OSX (1)

T-Bone-T (1048702) | more than 6 years ago | (#21995610)

Funny, I use IE, Outlook, Vista, and try to keep the list of updates as close to 0 as possible and I haven't had a virus in over a year. That one virus I had over a year ago on XP had a strong possibility of being a false positive. My history before that is also basically the same.

Re:Sounds like like Lunix, OSX (3, Insightful)

VGPowerlord (621254) | more than 6 years ago | (#21993122)

Mac users don't get annoyed by the bouncing icon?
Ubuntu users don't get annoyed by the yellow box that pops up about system updates?

You'd think that update systems that get on people nerves would actually make them update...

Re:Sounds like like Lunix, OSX (1)

Jugalator (259273) | more than 6 years ago | (#21997182)

... and Windows users don't get annoyed by the reminder that pops up every now and then?

But I'm not sure if it's just about the OS bits. This article talks of third party apps. In Ubuntu, such apps are often covered (unlike in Windows) by the auto-updater too in case they came from the Ubuntu repositories, but not ALL of them, for example if they're not covered by the auto updater and one wouldn't care.

And in this survey, they're including Windows installs with even just ONE unpatched application. No wonder the number is so high.

in Linux, updating stuff breaks it (-1)

Anonymous Coward | more than 6 years ago | (#21993716)

In Linux, unlike Windows, doing updates will cause something(s) to break.

Re:Sounds like like Lunix, OSX (2, Interesting)

Ajehals (947354) | more than 6 years ago | (#21993996)

This isn't just about the OS upgrades though, the huge difference between updating a windows box and (for example) a Debian box is that you update *everything* when you update. On top of that you can (as with windows, just go for security updates, use a local mirror (I assume windows does this) and automate updates.) Of course that's a home environment, for corporate environments it is even easier as your local mirror and update system (WSUS equivalent) is also handily your software repository and RIS service.

On a home windows box you may have to configure 5-8 different update systems (sometimes different, or at least separate systems for different packages from the same vendor) *and* make sure they are doing what they are supposed to do, not to mention that some software doesn't even have an automated update facility and needs manual upgrading. In a corporate settings you should be able to apply most updates in an automatic way (Although some probably wont be easily automated) and WUS takes some of the strain for the OS, other Microsoft Software and Drivers etc..)

Strangely even my ISP offers a Debian mirror these days so downloads are blindingly fast (I actually manage to reach the DSL download 'speeds' I am paying for).

You are happier with WSUS than I was (3, Interesting)

JimmytheGeek (180805) | more than 6 years ago | (#21994050)

We deployed it at my previous job, for 1100 machines. I found it a huge waste of time with large numbers of machines unable to update, or only partially updating. Almost none were completely updated. Status reports were off, reporting missing patches that I KNEW were on the box (installed manually and verified). I'm pretty sure it reported patches on that weren't. So not only could I not rely on it to do the job, I could not rely on it to tell me where it had succeeded and where it had not. I found it marginally better than nothing, not a solid enterprise ready tool.

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.

Re:You are happier with WSUS than I was (1)

kellyb9 (954229) | more than 6 years ago | (#21998464)

It will take MS another 10 years before it's products are enterprise ready. Enterprises use their stuff anyway, but the products aren't ready.
I doubt any companies products are "enterprise ready", Linux and Mac included.

PEBKAC is you (2, Interesting)

SanityInAnarchy (655584) | more than 6 years ago | (#21994638)

Well, your department, maybe not you personally. I have no idea what the office politics are like there, so I don't know what's actually stopping you from implementing best practices...

There's nothing magical about WSUS.

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update. If it's a desktop Linux machine, institute a policy that machines get shut down when you leave -- thus allowing you to upgrade the kernel.

So you're right, it has nothing to do with what OSes are being run. But you're wrong to blame the users here -- many of them (rightly) feel that this should not be their job. I get to admin my own machines where I work, so keeping them up-to-date is my job -- and also my responsibility; there's no IT department to blame if something goes wrong. But in an organization which does have an IT department, even if it's a one-man IT department, keeping the system up to date should be IT's job.

Re:PEBKAC is you (0, Flamebait)

fat_mike (71855) | more than 6 years ago | (#21995806)

You're IT department consists of you and you're imaginary friend doesn't it. Eat me.

Have you actually worked with real employees? My guess is no, and they probably would want to kick your ass if you did.

Re:PEBKAC is you (1)

weicco (645927) | more than 6 years ago | (#21997720)

I don't know how easy the tools are, but you should be able to build and maintain your own repository for your distro of choice. Then just add a daily cron job to each machine, forcing it to update.

The difference here, if I understand this correctly, is that in Linux, you have to run through every computer and add cron job by hand. In Windows, when you join corporate domain this all is done automatically. So WSUS/group policy saves user's and admin's time.

May I partially disagree with you, sir? (1)

Spy der Mann (805235) | more than 6 years ago | (#21993726)

Agreed, users SHOULD update their software regularly. However, one thing is having the will to update software, and a very different thing is having software with the need to update every 4 weeks!

Some versions of PHP, OpenSSL and Apache are buggy. Granted. However, not all users have a webserver on their machines. The problem is when the software they're running (i.e. Windows) is so crappy and awfully designed that its security has more holes than swiss cheese.

Re:May I partially disagree with you, sir? (1)

WillAffleckUW (858324) | more than 6 years ago | (#21994018)

Some of our dual-boot machines aren't used in the Windows configuration very often.

Why bother dual booting over to Windows just to download security patches when the last time someone ran Windows on that box was in 2006?

Re:May I partially disagree with you, sir? (0)

Anonymous Coward | more than 6 years ago | (#21995316)

Some of our dual-boot machines aren't used in the Windows configuration very often.

Why bother dual booting over to Windows just to download security patches when the last time someone ran Windows on that box was in 2006?


Then dual-booting is a really bad option for you.

If you can't be bothered to keep your software secure, you shouldn't have it there.

Re:Sounds like like Lunix, OSX (1)

ucblockhead (63650) | more than 6 years ago | (#21994586)

The nice thing about debian based distributions is that there's a system that automatically patches nearly all installed applications rather than just the OS itself.

False dichotomy (1)

BeanThere (28381) | more than 6 years ago | (#21997146)

It's about BOTH. Pretending it's only about one or the other is an attempt to purport that the quality of Windows does not even enter into the equation and thus that the quality of all OS's is effectively equivalent. This is obviously false, the crappy quality of Windows most DEFINITELY has a lot to do with it too (and this is why the parent was also rightfully modded flamebait).

I'm not shocked (3, Insightful)

Nero Nimbus (1104415) | more than 6 years ago | (#21992616)

This isn't really surprising, given that most people treat computers like just another appliance. Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.

Re:I'm not shocked (1)

scum-e-bag (211846) | more than 6 years ago | (#21992732)

Then again, not every piece of software alerts you when a new version comes out, so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.
...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

Re:I'm not shocked (1)

Traxxas (20074) | more than 6 years ago | (#21993544)

Come on, I love waiting 3 weeks for a Firefox update.

Re:I'm not shocked (1)

snl2587 (1177409) | more than 6 years ago | (#21995608)

...and for a distro like ubuntu which misses oh so many updates it is harder than say, Debian.

...only if you're using the default repositories and not the most current ones. One of the little things about Ubuntu is that only well-tested updates make it to final release, and this takes time. Should certain updates be pushed through almost instantly? Of course they should, and things like the recent Samba Server update (update to the update, really) are.

I know that for my Windows box I'm one of those 95%. I have so much crap on there that I wouldn't be surprised if 95% of the programs were unpatched, ignoring those that actually prompt me to update (which seems to be limited to my office, firewall and antivirus programs).

Re:I'm not shocked (1)

JacobO (41895) | more than 6 years ago | (#21992776)

I personally get annoyed by the intrusive software that interrupts my work (or play) with something I'm not particularly interested in: software updates. Do it silently and let me get back to Desktop Tower Defense!

People ignore software update alerts (4, Insightful)

Freaky Spook (811861) | more than 6 years ago | (#21992816)


When I look at people's computers these days they have heaps of different software popping up asking for updates, its got to a point where people ignore it, because its much too common.

The thing that annoys me most about update alerts is they never give you a reason why the software should be updated. It would be nice if they would give you a link or a summary of simple reasons why you need to actually update their free crapware.

Java and adobe products are probably the worst with this.

Re:People ignore software update alerts (1)

QuantumG (50515) | more than 6 years ago | (#21993938)

Maybe Microsoft needs to supply an API for a single update manager.

Either that, or get a proper package management system.

Re:People ignore software update alerts (2, Interesting)

SanityInAnarchy (655584) | more than 6 years ago | (#21994672)

See, I generally trust the updates, because I figure that if Adobe didn't screw me over the first time, they're not going to screw me over this time.

So, what I've done is, I leave the update notifications on, in case I forget, but I make a habit of, when I first boot, checking for updates. This means that I get to sit and drink coffee and slowly wake up in the rare case that a reboot is required.

The difference is, on Ubuntu, I push one button for it to update, and then I forget about it for the rest of the day. If I really wanted to, I could script that -- have everything handled by a cron job.

On Windows or OS X, there's probably at least five or ten things which try to auto-update (or at least ask permission), and another five or ten things which don't even try, but which it's generally a good idea to keep up to date. So I still make a habit of checking Windows Update, but there's also a dozen things I don't bother to check (partly because some won't even work; my video drivers are not likely to get any more updates, ever), and there's a dozen things that pop up and cheerfully inform me that I have a few hundred megs worth of, say, Java updates to download.

So yes, Windows needs a proper package manager. A package manager is more than updates, but it would be nice to have just one place to check for updates, or just one thing that nags me to update, and then not have to deal with it for the rest of the day.

Fortunately, with HD-DVD work on hold, I get to run Linux at work.

Re:People ignore software update alerts (0)

Anonymous Coward | more than 6 years ago | (#21994806)

It is well that they do, for all, I mean ALL so called updates are really to convert the crapware, whatever it is, to scamware or spyware or some other kind of malware or any version or combination therof. Just one example, SP2 for XP and SP4 for Win2K was spyware on the operating system level.
Hey, the data these so called updates steal and feed through the internet to shadowy database operators must have value and be immensely resellable. Look at Kroger and their 'Kroger-Plus' card. That little piece of crap identifies you and stores all your grocery and other purchases. What use it makes of all this is not volunteered. One use was found out by the Berkely Barb when it reported this company volunteering its 'customer data' to the Homeland Security Department. In any case, Kroger is willing to forego up to fourty percent of the retail price of any given item just to have a customer's data on that item. On the basis of watching what a company does rather than what it says, this speaks volumes. That is why no windows users that have any intelligence 'update' their stuff.
Who wants 'online activation' when they know that three hardware upgrades to their pooter and they are not only refused another, but blacklisted as well; meaning that person's new purchase of another microsoft product will be blackholed as well.

Re:People ignore software update alerts (0)

Anonymous Coward | more than 6 years ago | (#21995038)

I know I ignore software update alerts. Most of the time, if it's not a security fix, I don't care. I have a working computer that does what I want. How many Window users really needed the new functionality of the latest WMP with DRM? I don't even use WMP.

Re:I'm not shocked (1)

Monsuco (998964) | more than 6 years ago | (#21993434)

actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.
I wonder why all these companies, Adobe, Real, Sun, Apple, these companies want their products up to date, MS wants Windows to be secure and therefor would want all the software on it to be patched why not work out a deal where other software providers can update through MS update along with Office and Windows. I do think it might be against antitrust laws so they might be restricted in that way.

Re:I'm not shocked (1)

Nero Nimbus (1104415) | more than 6 years ago | (#21994206)

You can't do something like that! It makes too much sense.

Re:I'm not shocked (1)

Jugalator (259273) | more than 6 years ago | (#21997200)

so actually keeping 100% of all software on the box current is harder for Windows than say, Ubuntu.
It may be slightly easier in Ubuntu for various reasons, but I'd say it's still quite a challenge to keep 100% of all software used updated at all times for a novice user, even on Linux. The repository-based installs helps a lot, but not all of the software is installed that way, for example.

Is that... (2, Insightful)

15Bit (940730) | more than 6 years ago | (#21992684)

...just the legit licensed ones they're talking about or *all* Windows PC's?

Re:Is that... (4, Insightful)

Qzukk (229616) | more than 6 years ago | (#21992746)

Nah, it's the ones where people did the smart thing: they set up automatic updates, they set up a non-privileged user that they use every day... then they never logged back in as Administrator to click "ok" on the service pack 2 license.

Re:Is that... (1)

VGPowerlord (621254) | more than 6 years ago | (#21992986)

I haven't actually tried this, but doesn't the Windows Update Service just throw the notice at whichever user is logged in, since it already runs as a privileged user?

This also doesn't apply to businesses that use a [url=http://technet.microsoft.com/en-us/wsus/default.aspx]WSUS[/url] [url=http://en.wikipedia.org/wiki/Windows_Server_Update_Services]setup[/url].

Re:Is that... (0)

Anonymous Coward | more than 6 years ago | (#21993672)

By default, no; only administrators receive automatic update prompts. This means that things which require acceptance of a licence agreement will never be automatically installed (essentially just service packs and IE7).

This can be changed in group policy. Additionally, WSUS will allow you to force any update through, licence or no.

Re:Is that... (1)

ashridah (72567) | more than 6 years ago | (#21993306)

Those popups actually run as SYSTEM, (which is why you can't get hyperlinks in them, incidentally) so you can still apply updates through them. Means that the updating tool needs to be careful, of course.

ash

Re-think (0, Insightful)

Anonymous Coward | more than 6 years ago | (#21992702)

This kind of data ought to prompt serious developers to drastically re-think the current desktop security paradigm. Whether it's Windows, Mac OS or Linux, the premise is that the software will frequently prove insecure or deficient and regular updates are required. We expect users to OK these updates and wait for them to take place.

Obviously 95% of people aren't doing this, so what do we change to fix that? We need to have some combination of the following:


  • Less updates
  • Less security holes
  • Smaller updates
  • Less user intervention

Personally I think the ideal solution would be to first lock the desktop down. Nothing listens on any ports, ever, unless the user downloads and installs something new. Strip out relatively unused functionality, because it's not worth the security tradeoff. No more Internet Explorers: the specific people responsible for fuck-ups so disastrous and far-reaching ought to be named, shamed, and unemployed. The same goes for the clown responsible for Ubuntu storing the root password in plain-text during installation, if you're concerned about balance.


I know this is all a pipe-dream, and nothing will ever change. What I secretly wish for is for something on the scale of the Storm Worm, only more malicious and destructive. If somebody gives the public something serious, like a computing 9/11... I don't know... Wipe all their stupid mp3s and photos or something. Really drive it home into the public conciousness. Maybe then they'll understand that the internet is serious business. Also I'm drunk, which if Taco had the slightest clue what he was fucking doing in Perl, would mean an automatic +1 Drunk post score bonus. Fuck you Rob, all this fucking JavaScript has ruined Slashdot for me.

Re:Re-think (1)

DCTooTall (870500) | more than 6 years ago | (#21993096)

Hmmm... Better option to drive it home to the public without causing MASSIVE damages....

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive. Hell... put those C&C servers to good use if needbe and proxy the connections so that it can even be a non-standard port for those ISP's that block port 80 servers.... and to get around NAT routers, and other software firewalls.

Why do I think this would be a better way to shock people into action? Several reasons.
1. People in general have a LOT they may not want getting out for purely embarrassment reasons. Knowing that not taking security of their machine seriously could result in this could do more good than simply forcing them to reload because their programs no longer work, or their system is now "slow".
2. The Politicians and corporate types who like to think that there's nothing wrong with the state of computer security, or that their programs are not gonna get hit because X company says they build secure software, and don't question the claim.....usually have more to hide and therefore and much more likely to step up and realize that something needs to be done to fix the problem and/or force proper accountability on people to patch their bugs. (how many security holes exist and are known, but said companies refuse to acknowlege them UNTIL after they are exploited?)


And My personal favorite reason......3. Think of all the free amature porn we'd suddenly have access too from people who don't think their "private" picture folder will EVER be seen? That alone could be worth the price of admission. lol


Hmmmm.... ya know... Since their seems to always be a Financial reason for people to create and seed virii these days...Said central server could charge a small access fee to gain access to said "web-content". Money is made for the person who implements the idea... and the public still gets their embarressment wake-up call. It's win-win....

Re:Re-think (1)

secolactico (519805) | more than 6 years ago | (#21994472)

Take all the pictures and email on the Harddrive and make it publicly accessable. Maybe something as simple as a web-server virus which creates a webserver on the machine and allows EASY PUBLIC...easily findable...read-only access to all the files on the drive.

This could actually be more damaging than just deleting the files. Embarrassing would be just one result of exposing all this info. But you can probably get a lot of info from personal pictures to steal an identity or stalk/harass/hurt somebody.

Re:Re-think (1)

DCTooTall (870500) | more than 6 years ago | (#21996030)

Sadly I could say that they probably couldn't get anymore than existing social engineering and phishing methods don't already get. It would also potentially help maybe force something to be done about the existing financial and credit system which allows it to be so easy to have someone screw up your credit, yet so hard to fix it.

(And sadly... I know from experience that it's also 100 times easier to get a stolen identity "fixed" in your credit, than it is to fix an error the credit agency made on their own.)

Re:Re-think (2, Interesting)

ToasterMonkey (467067) | more than 6 years ago | (#21993680)

I really think this is one case where user education should be considered more important.

There's nothing wrong with your suggestions, and those should still be goals. However, it's a bit like suggesting the solution to 95% of automobiles not receiving regular oil changes is to build engines that only require a change every 20,000 miles. The problem will probably never go away, but that's a nice goal. Now it's going to be forgotten about more often, put off longer, thought to be less important, ignored, and less understood. There will be a bigger gap between the frequency required for driving under "normal" conditions and "severe".

There are similar conditions with software updates. Sometimes patches should be applied immediatley, sometimes they can be put off longer. One thing is for sure, they will always be necessary, at least in the foreseeable future. In both cases, higher frequency is always better. Wouldn't an optimal solution be that both processes are as cheap, fast, and painless as possible, enabling them to be done very frequently? Imagine if an oil change was as painless as getting your car washed at the gas station is, or just an extra button to press at the pump. Now, given price of oil, that might not be feasible in the absence of some kind of cheap oil recondition/reuse process. Still, it's a better solution than merely lengthening the frequency.

I'd say your "Smaller updates", and "Less user intervention" should be among the highest priorities, along with anything else that can make patching both as trivial and frequent as possible. Not only that, but if user intervention is required at all, the importance of the patches needs to be made clear. Patches fixing remotely exploitable bugs should be made VERY clear, in bright red colors or something, not mixed in casually with other patches like it's no big deal. Part of the problem now is that most users don't know WTF the severity of "Windows Updates" or "Software Updates" is. Neither of those sound very important do they? Maybe somewhere in the details of WU patch installation, the word "security" or "critical" is mentioned (can't remember, staying on the safe side), and Apple's Software Updates sometimes lists "Security Update" items. Those are not enough to convey the importance of applying patches promptly as possible.

Re:Re-think (1)

SanityInAnarchy (655584) | more than 6 years ago | (#21994722)

Obviously 95% of people aren't doing this, so what do we change to fix that?

Here's what I'd do:

  1. Remove the user from the equation (fully automate everything)
  2. Not care what happens to anyone who disables #1

Over All... (2, Interesting)

jellomizer (103300) | more than 6 years ago | (#21992762)

I am not to suprised I would think this is constant 95 out of 100 Linux boxes are missing security updates 95 out of 100 Macs are missing security updates.

Re:Over All... (1)

shadylookin (1209874) | more than 6 years ago | (#21993000)

I doubt that, quite a few linux boxes are used for servers which most people take special care to keep secure. It also may be a little bias, but I think most linux users are more likely to get updates since installing linux is a conscious choice and they probalby have a little more knowledge than the average Windows

Re:Over All... (1)

jammo (981940) | more than 6 years ago | (#21993398)

If it ain't broke, don't fix it! As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall why ever update it until you want to actually update the stuff it is serving. Most updates seem to slow things down these days. I only need to run a server or 2 on a box, maybe KDE or whatever, if the desktop is going to behave and not force me to retreat back to command line as some mime type change I made fancied opening an html file in some crap like kwrite when all I want is vi(m) anyway. I have plenty enough unix knowledge to know that that odd libmcrypt version update out of sync with mhash or whatever means I have to reinstall a server, adding all those tedious --include-something-or-others or whatever again. Can't be doing with change, maybe computers aren't for me, they bitch too much, especially Windows, with it's Are you really sure's and You really don't want to do that, don't make me perpetuate the hourglass symbol crap!

Re:Over All... (1)

JimCDiver (1217114) | more than 6 years ago | (#21993630)

Couple hundred sun boxes at work. We still have some running Solaris 5.5. We absolutely do NOT update unless it is required for a business reason... and then it has to all go though Change Management so guaranty its not going to castrate a couple million mail boxes. I think the DST fiasco last year costs us a few hundred man hours.

Re:Over All... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#21994776)

As long as your ports aren't all opened up by default and your server is behind and monitored by an updated firewall

Or my server could be an updated firewall.

At the very least, you want to keep sshd up-to-date.

Most updates seem to slow things down these days.

Plenty of updates speed things up. See Ruby.

I have plenty enough unix knowledge to know that that odd libmcrypt version update out of sync with mhash or whatever means I have to reinstall a server

Wow, your distro must suck.

Re:Over All... (0)

Anonymous Coward | more than 6 years ago | (#21998766)

That's a whole load of hore sh*t.
Most admins and especially Linux guys are lazy.

Most boxes are not up-to-date.

Boxes that are automatically updated are genrally managed badly on some other side.

This is once again one of these "we linux people are smarter, we're the elite" type of nonsense.
That attitude also is keeping a lot of managers from really trusting your judgement and they are right....

Sales FUD (4, Informative)

MeanMF (631837) | more than 6 years ago | (#21992832)

They're looking at EVERY piece of software installed on the computer, not the OS itself. They're doing this along with a very generous definition of "security update" to come up with hugely inflated numbers so they can better scare the clueless into buying their services.

Re:Sales FUD (1)

phantomcircuit (938963) | more than 6 years ago | (#21993060)

Except this software is free for non commercial user.

Re:Sales FUD (1)

hurfy (735314) | more than 6 years ago | (#21993202)

I think EVERY is an understatement. The stats come out to over 81 applications on AVERAGE per computer. Huh? Even counting the Acrobat reader which always screams for an update and says it may not be able to open a file just before it does so, i can't imagine what that covers.

Also have to agree with comment below...The security conscious/paranoid are not going to install a 3rd party app that reports their vulnerabilities back to said 3rd party!

Actually, flawed software (1)

NetDanzr (619387) | more than 6 years ago | (#21996462)

I run Secunia's PSI, and I noticed a few flaws, which pretty much catch anybody. For example, it lists seven instances of Sun Java JRE on my computer, three instances of Adobe Flash and two instances of Adobe Reader. On top of it, it lists several instances of Macromedia Flash as "End of life" software. Obviously, all of those listed have been upgraded to recent versions, but the older versions either weren't properly removed by the upgrade, or Secunia never updated its database on my computer. Be it as it is, if you run a Windows PC and have Flash or Java installed, your computer will fall under the 95% of insecure computers regardless whether you update or not.

duhhhh.... (4, Insightful)

debatem1 (1087307) | more than 6 years ago | (#21992912)

Anybody who is remotely worried about security is probably not going to download a tool that reports your security status to another organization.

Run Microsoft Update not windows update on windows (3, Informative)

Joe The Dragon (967727) | more than 6 years ago | (#21993460)

Run Microsoft Update not windows update on windows system to get all of the windows base os + other APIs and runtimes + office updates.

Re:Run Microsoft Update not windows update on wind (1)

ucblockhead (63650) | more than 6 years ago | (#21994602)

That doesn't help much if the exploit targets Firefox or Adobe Reader or Photoshop or iTunes or...

And Adobe update, and Java update, and Software... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#21994798)

And what will update my video drivers?

Oh, whoops -- nvidia doesn't have ANY automatic update.

So yes, Microsoft Update is a start, but until it's just a generic Update feature which all apps can hook into, it's pretty useless for keeping the whole system up-to-date.

Updates Slow Computer Down (3, Insightful)

smist08 (1059006) | more than 6 years ago | (#21993538)

Many people have a bad impression of updates. They know for sure that updates slow down the computer and they know for sure that updates have previously broken things. So you have a choice: 1. Install something that will degrade your computer (possibly making parts of it unusable) or 2. Don't install it and just hope that you don't open a bad email or something, after all practically speaking viruses aren trojans are quite rare.

Unpatched? (-1, Flamebait)

FlyByPC (841016) | more than 6 years ago | (#21993548)

Nah -- that 95% just opted out of the downgrade to IE7.

How much of this is stuff people aren't using? (3, Informative)

DrData99 (916924) | more than 6 years ago | (#21993572)

With all the pre-installed trials and other crapware the comes with home computers it is likely that many of these unpatched applications are ones that are not really at risk since they are never used. I see this even at work, where we run regular vulnerability scans. You tell a user that they need to update and get told that they haven't used said product in .

Not worth it (1)

kemushi88 (1156073) | more than 6 years ago | (#21993668)

Except for the occasional windows patch, I don't think most of the patches really offer much benefit for the casual user. Is a tiny reduction in your vulnerability worth the effort/time it would take to run the update software/visit the manufacturer's web site for every piece of software that you own? I think the article would be more powerful if it stated 95 out of every 100 crash/identity theft/virus attack would have been prevented by a patch.

Re:Not worth it (1)

SanityInAnarchy (655584) | more than 6 years ago | (#21994830)

run the update software/visit the manufacturer's web site for every piece of software that you own?

It's not so bad when they update themselves (Adobe, Java, Apple, etc).

But yes, having to visit the manufacturer's website is bad. That's why we have this concept of a "package manager" on Linux, and why we're still so confused that people think it's more complex to install and manage software on Linux than on other systems.

Actually, I lied, there are currently two package managers I have to keep track of: Debian (Ubuntu) Apt and Rubygems.

Still, it means that if I really want to, I can do this:

sudo apt-get update && sudo apt-get dist-upgrade && sudo gem update

That will update everything except the Windows software that I have under Wine... Hell, I could add a couple of svn updates to that line, and it's even keep me up-to-date with everyone else in the office!

Here is a great little app for updating a pc (2, Interesting)

hairyfeet (841228) | more than 6 years ago | (#21993864)

Appget [app-get.com] . It is what I use when I need to update a pc someone has brought me in for repair. It will show the occasional false positive, for example, saying version 1.5 is newer than beta 2, but otherwise a quick and handy way to update a pc. One of the best things about it is you can make it better by submitting download links to software that isn't in the database. The more folks that use it the better it gets. And the developers are really nice about emailing replies and fixing bugs when you submit them. So if you need a free tool to quickly find out version numbers and update a pc's software, here you go.

Re:Here is a great little app for updating a pc (1)

adolf (21054) | more than 6 years ago | (#21996310)

I've heard of appget before, so this question might have an answer which is obvious to some, but:

What prevents me (or anyone else) from submitting bogus and/or malicious download links?

Re:Here is a great little app for updating a pc (1)

hairyfeet (841228) | more than 6 years ago | (#21997700)

The developers check out the download links submitted before adding them to appget. If you try out the program and submit a link, you'll see it takes an average of 48 hours for the new link to appear. I have submitted several and it always takes about 48-72 hours for my submissions to get added to the tree. It really is a great little piece of freeware if you you need to quickly find out version numbers and install updates on an unknown pc. I've been using it for over a year now, without a bit of trouble, and no ads or spyware at all. Give it a try and I bet it'll be added to your toolkit cd too.


Appget and Installrite [epsilonsquared.com] are the two freeware Windows programs I simply can't live without. Appget allows me to quickly find the updates the pc needs, while installrite allows me to make easy to deploy automated install .exe files for the freeware I give to any customer whose pc I work on. If they don't have MS Office installed I give them Openoffice, if they desire multimedia playback I give them klite codec pack, and for pictures I give them Paint.net and the Gimp. And with installrite the installation is simply two clicks and I'm done.


Give either or both a try and you won't be disappointed. And if anyone needs to know the steps to make an automated installkit with installrite feel free to email me, and if enough folks require the steps I'll post them here in my journal.

I should be safe ... (2, Insightful)

WoodstockJeff (568111) | more than 6 years ago | (#21993920)

... Windows Update tells me that the only update I need is "Windows Genuine Advantage", which I don't want, anyway. No other updates needed, since Microsoft told me that WGA wasn't necessary to get security updates... just "new features".

Yeah, right....

You call them security updates (2, Insightful)

WillAffleckUW (858324) | more than 6 years ago | (#21993998)

We in dual-boot land call them "driver downgrades".

Just look at the "fixes" in MS Office 2003 in the last SP.

Those removed the ability to open older spreadsheet formats we still have data stored in, so we had to roll them back.

And most of the fixes were already done when we switched to the more secure Firefox as our default browser and got rid of all Outlook instances.

Re:You call them security updates (1)

ribond (149811) | more than 6 years ago | (#21996290)

note that they just offered a fix to allow the older spreadsheet format to work after the update.

100 of every 100 Windows PCs miss security updates (0, Flamebait)

gmuslera (3436) | more than 6 years ago | (#21994136)

... at least if they are still running Windows.

A free system level common update system is needed (2, Interesting)

Joe The Dragon (967727) | more than 6 years ago | (#21994144)

MS needs to come out with a common update system that is easy for games and other apps to use and is free for developers to use. Then you can at lest get rid of having to deal with games and other apps having there own built in updaters and needing admin just to run them as some force you to get the updates to use them. This system can also make it easy to keep your whole system up to date. You will just need to be an admin to run that common update system or even let it be setup to auto run in the back round at system level. Also MS needs to let get the all of the updates form windows update using auto update. Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.

So what you're saying is... (1)

SanityInAnarchy (655584) | more than 6 years ago | (#21994880)

Ripping off Sudo was a good start, but they really need to learn some lessons from Linux package managers.

OS X has the same problem, by the way. Linux distros are really the only place you see a system-wide package manager.

Re:A free system level common update system is nee (0)

Anonymous Coward | more than 6 years ago | (#21997502)

I agree with your comment, but I don't understand this part:

Runas does not work for windows update in windows xp and 2000 and you need to run that to get the Optional updates.
I know Windows Update can be run using "Run as..." in Windows 2000 because I just tried it. (3 high-priority updates. Thanks for reminding me.) However, some low-level updates cannot be installed successfully unless the user is logged-in as an Administrator. Is that what you meant?

Click the "Start" button, Shift-right-click the Windows Update icon, select "Run as...". Alternately, start Internet Explorer as Administrator (Shift-right-click) and run Windows Update from the "Tools" menu.

Re:A free system level common update system is nee (1)

Joe The Dragon (967727) | more than 6 years ago | (#21997916)

First you should be running Microsoft Update and you need to be admin for it to fully work. They must of changed windows update / Microsoft Update to some what work with runas in the pass you got the admins only page / updates failing to install.

Re:A free system level common update system is nee (0)

Anonymous Coward | more than 6 years ago | (#21998296)

Good idea in theory, but oh and then games like Neverwinter nights (or was it knights of the old republic?) can send you an update which causes your game not to load again, since you have to have the CD in the drive, and the "copy protection" (which has been "upgraded") only works on certain brands of CD-ROM drives running at certain speeds. Yeah, like I would trust games publishers not to do that, thinking we are living in the 1980s and all using Commodore 1541 disc drives.

If you buy a game for PS2 or Gamecube at least you know it will run the next time you try to play it (I'm not sure about Wii/PS360 though).

And people like Adobe keep "upgrading" their licenses.

Yeah I'm usually a day or two behind myself (1)

davidwr (791652) | more than 6 years ago | (#21994492)

Most auto-update applications have something like this:

Check for updates:

*once a month
*once a week
*once a day
*every time you run it

OK the last item is missing from many applications. I bet most people run "unpatched" applications in the first hours after an update.

Re:Yeah I'm usually a day or two behind myself (0)

Anonymous Coward | more than 6 years ago | (#21994892)

Myself, I'm usually a couple weeks or a month or so behind on Windows XP updates. I do NOT let it auto update. Ever.

I am most certainly NOT going to install the latest and greatest Microsoft patches on my system until many others have done so and not suffered ill effects.

MS is partly at fault for this (2, Interesting)

Anonymous Coward | more than 6 years ago | (#21994530)

This isn't entirely the fault of users. One of my major complaints about windows updates is that they so often require a reboot. This is disruptive for any user, it's understandable that people would want to avoid that and "update later" (which is always forgotten). If windows updates were as minimally disruptive as possible (and I know for certain that reboots can be avoided almost always) users would be much, much more likely to allow automatic application of windows updates.

Re:MS is partly at fault for this (1)

Shados (741919) | more than 6 years ago | (#21995482)

Updates that don't require reboot don't force you to reboot... I agree too many of em do, but its been a heck of a long time since I had to reboot because of windows update...

And personally, what I always do, is update, then just say "reboot later"

You get a popup every 4 hours (I wish it could be pushed to more than that, but bleh), and then just turn my computer off at night.

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown". I don't remember if XP did this (maybe, but I didn't notice it until Vista), so you just pospone the update until the next shutdown, no big deal. I used to never reboot my machines, but after a while, and as computers started adding up, it started to hit my electricity bill, and in the summer it just gets too warm and I end up spending even more money on AC, so I stopped that.

Re:MS is partly at fault for this (1)

Heian-794 (834234) | more than 6 years ago | (#21997998)

Also, in Vista there's something I like. If you simply don't update, the shutdown button turns into a "update and shutdown".

This should have been implented many years ago. My XP machine at work literally interrupts you every half hour to ask you if you want to restart now. You'd think that after three or four "no, not now" clicks, it would get the message. No one likes to have their work interrupted, and even if I have time to flip over to Slashdot and take a little break, that doesn't mean I have the luxury of closing all my open windows. Adding a third button with "do it when I shut down, and don't remind me again until then" would make security updates a lot more tolerable. Users might actually begin to see their usefulness instead of being annoyed all the time.

Not scientific and potentially biased (1)

ClosedSource (238333) | more than 6 years ago | (#21995026)

The report from Secunia is based on their users' PCs and thus is not statistically valid (has there ever been a statistically valid survey reported on Slashdot?). In addition, they have a vested interest in reporting a high number in order to promote their non-free version.

Pirates? (2, Interesting)

Jaktar (975138) | more than 6 years ago | (#21995374)

I wonder...of all of these unpatched systems, how many were pirated? That was the big stink when MS briefly turned off updates for non-verified Windows installations. Maybe people are afraid to update their pirated MS Office stuff in fear of being caught?

ObligFilmRef (1)

secretwhistle (1116881) | more than 6 years ago | (#21995572)

Well, I wouldn't say I've been "missing" them.

They don't miss them. (1)

feepness (543479) | more than 6 years ago | (#21996416)

They don't even know they are there...

Well Bob... (1)

Boydacus (861607) | more than 6 years ago | (#21998616)

I wouldn't really say I've been missing my updates...

update you fools! (0)

Anonymous Coward | more than 6 years ago | (#21999012)

keep your NSA KEY and remote exploits up-to-date!

Be sure and keep your diary on the same partition as your porn so chair thrower can masturbate while reading your adventures in loser land while wearing SUSE lizard pajamas and fondling Silverlight within Runescape.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?