Windows 8 a small first step to fixing the software update problem

Windows 8 a small first step to fixing the software update problem

Summary: On Windows and most other platforms, unpatched third party programs are a major point of vulnerability. Microsoft was timid about addressing the problem until Apple showed the way.

TOPICS: Security, iOS, Windows

According to a study by Secunia, which makes software to detect and update third party application software, "… [o]n a typical PC, users have to master 25 different update mechanisms to patch the 75 programs on it, in order to remediate vulnerabilities". Few of them are totally automatic, and so many users end up with vulnerable, unpatched programs on their systems.

Microsoft started to get their act together on updates about 10 years ago, steadily making Windows Update more automatic and more mandatory.


It struck me at the time, now seemingly a long time ago, that Microsoft was in a position to help improve the updating of third party applications by letting them use the Windows Update mechanism. It wouldn't be necessary for Microsoft to actually deliver these updates from their own servers, but to open up the Windows Update process to call updaters from the third parties. Windows Update could use special code signing keys to make sure that only vendors they allowed in got to deliver updates through Windows Update, and also to give Microsoft a way to revoke update status from those updates.

The benefits, I felt, were substantial: Users would have exactly one interface through which updates would be delivered and they could be trained to look for those updates. The fact that they came, at least in part, from Windows should make them more credible.

I talked to Microsoft and wrote columns about it back in the mid-00's. The best answer I could get, unofficially, was that it was too big a liability problem. This answer was plausible, but uninspiring. Microsoft clearly had and has an interest in third parties keeping their Windows software updated and they were chickening out on a good way to address it.

Then the iPhone came along.

From a security perspective, the major game-changing characteristic of iOS is Apple's active and strict control over what software gets delivered to iOS devices. Just as all apps on the device must be delivered through the store, so must all updates to those apps. Apple had the nerve to do what Microsoft didn't. (Of course, Apple has always been more bold at telling their users what they can and can't do.)


Microsoft has largely adopted Apple's store practices for Windows 8 apps, including the centralizing of app updates. That's the good part. The bad part is that it only works for the new Modern UI (Metro) apps, not for classic Desktop apps. There's no practical way to retrofit the new scheme to Desktop apps and, from Microsoft's perspective, it would just perpetuate the "old" app model they are not especially encouraging at this point.

But, in the long term, it should improve the steadiness of updates of third-party apps on Windows systems.

That still leaves the user problem: Just because there's a big, obvious number on the Store icon doesn't mean users will take the hint. I've seen many an iPad and iPhone with a double-digit number on the App Store icon and the user perfectly willing to ignore it. Alas, we can't yet reprogram the user.


Topics: Security, iOS, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not quite

    "There's no practical way to retrofit the new scheme to Desktop apps" - actually, there has been a way to update .NET applications for several years as you envision.
    • .NET is fringe

      A solution for .NET is in no way a solution for Windows development generally.
      • It is the best solution

        Its is the best solution, looks like you have never ever programmed and use .NET, and this model is effiectly and easy to implement.
        • What about non-managed/legacy software?

          So who uses 100% .NET based applications on the Windows desktop? NOBODY, that's who. Herding cats is much easier than getting all Windows developers to buy into a unified updating system for some reason. Until Adobe and Oracle and many others abandon all their non .NET code and re-write it in C# then what you suggest is an incomplete solution.

          Seems odd that it is so easy to get a Linux based OS to update everything through one package management system happened so much easier and faster than in Windows, given the distributed nature of open source development and the sometimes strong personalities involved. Yes, there is the .DEB vs .RPM debate that will never end, but a couple of "standards" is far better than the stinky mess that Windows users have to deal with having potentially dozens of updating schemes.
          Mark Hayden
          • Lion vs. Kitten

            Linux is a kitten compared to Windows, of course there is a lot less to update! I could use my old cpu that ran Windows 95 and put the latest Linux OS on it.
            If Linux offers you the solutions you need to get the job done, great! It doesn't offer what I need, which I'm sure is why MOST businesses haven't made the switch.
          • If Linux might be a kitten

            It's the real kitten though, compared to Windows being a cartoon paper lion. I can tell you that on one Debian system, LMDE, I got 39,832 unique packages installable and updatable through the one installer/updater. This is roughly 55 "lean" gigabytes of software Compare to the MS Windows "fat" gigabytes might occupy with very few packages installed, say 12 gb for the MSO on Win RT. Another instance is that the windows directory "puts on weight" with time.
            Your claim that "Linux got much less" is not substantiated, so you most probably talk about something you don't know very well.
          • I was replying to 1ndy

            it might have been incorrectly threaded.
          • In terms of lines of code, and perhaps even in overall ...

            ... efficiency, but there is no way that Linux is a "kitten" in terms of usability in the hands of the novice consumer with no support.

            Most businesses have not "made the switch" because talented and experienced Linux systems administrators are very expensive to hire.

            On the other hand, any high-school kid with half a brain (and the will to do so) can earn Microsoft certification and become instantly employable.
            M Wagner
          • I can explain you but you will not get it, you have to use it by yourself

            Updates are easy to implement. A lot of companies have their windows applications in NET c#/VB. I could tell you but doesn't matter you will not believe me...
          • Linux users are a far heartier group of users than typical Windows users.

            And, since there is no competitive or financial advantage to re-inventing the wheel in Linux it is a far simpler problem than having to support 85-year-old grandmothers and 15 year-old-boys with the same tools.
            M Wagner
  • Click-Once

    Microsoft has had the Click-Once deployment model for many years. This can optionally force a 3rd party app to update on startup. The 3rd party must maintain the deployment site (simple web or file share) with the latest version of the app. Of course this has nothing to do with the Store but does solve the issue of keeping 3rd party apps updated.
    Nole Mercy
    • So just go .NET?

      ClickOnce is, IIRC, .NET only. This is hardly a comprehensive solution for the software market. .NET has a lot of appeal for corporate development, but ISVs have largely rejected it.
  • Windows 8.1 has automatic updates of apps...

    ...I believe this is turned on by default, even if you update from 8.0. So your last point should be a thing of the past, unless users decide to disable the feature.
    • Was about to make the same statement

      with 8.1 updates being automatic and in the background.
  • Gotta agree with everyone else here

    Microsoft had Click-Once deployment available way back with .Net 2.0, which significantly pre-dates anything Apple had. Whether software vendors took advantage of it or not really wasn't under Microsoft's control. Now with Windows Store apps it is. You really need to research a topic like this before writing an entire article based on a false premise. It doesn't reflect well on your credibility.
    Sir Name
    • .NET is niche

      Click-Once is pretty cool, but being limited to .NET makes it niche. Most 3rd party desktop applications are not .NET applications. They are native code. Very expensive to convert to managed code, and your application will absolutely be slower, because .NET was architected for safety at the expense of speed.
  • Alas, we can't yet reprogram the user. The Matrix is coming

    Users can be a problem but they are not the only problem nor should we expect the user to fix this for us. Better software engineering and development tools that eliminate most problems based on forensic analysis folded back into the tools are the best course forward.

    IMO some of these updates are unwanted, for instance... The Weather Channel had a fairly simple clean app and with each update it gets worse, harder to use, and more ads. This is going to get deleted soon, I swear.

    In other instances perhaps a function works nicely enough but is broken in the update or removed altogether, that would keep people from wanting an update even with security issues.

    Still too... some programs/platforms (Java6) have been abandoned. Its such a messy world, what's a user to do. In the case of Java, I blame Scott McNealy and think he should be sued for foisting the mess of Java on the world. He sold that junk based on a total pack of lies bigger than Mount Rushmore.
  • If Windows 8.1 was mandatory...

    If Windows 8.1 was mandatory, there will many people unproductive right now!
    • I use Widows 8.1 daily - in a professionakl IT setting.

      And I am quire productive. You just have to be open to learning new ways of being productive.
      M Wagner
  • Not practical

    I'm a lawyer and before I even got to the part about Microsoft's response my reaction was "too much potential liability. John Doe Software doesn't have "deep pockets" but Microsoft does. Every jerk who screwed up an update of his machine would be threatening to sue Microsoft."

    The idea that there is a disclaimer buried somewhere in a EULA sounds nice--but that isn't how "the real world" works in American law. It's a lot cheaper to "put some money in the guy's pocket and his lawyer's pocket and move on" by paying a "nuisance claim" than to spend tens of thousands of dollars on legal fees and win. I'm not saying that's *right*, but it's the way things often *really* work.

    Let's face it--the vast majority of Apple users want it to "just work". They aren't interested in all sorts of weird custom programs to do odd things. With a much larger ecosystem, there are a whole lot more such users running Windows. More users creates more problems, and MS doesn't want to make itself a target.

    One last thing is that all it would take would be ONE third-party update accessed through Windows Update screwed up and everyone would be blaming MS and saying, "Don't use Windows Update!" Look at how Vista got a bad rap because *major third-party vendors* didn't provide updated peripheral drivers timely.