Windows 8 a small first step to fixing the software update problem

On Windows and most other platforms, unpatched third party programs are a major point of vulnerability. Microsoft was timid about addressing the problem until Apple showed the way.
Written by Larry Seltzer, Contributor

According to a study by Secunia, which makes software to detect and update third party application software, "… [o]n a typical PC, users have to master 25 different update mechanisms to patch the 75 programs on it, in order to remediate vulnerabilities". Few of them are totally automatic, and so many users end up with vulnerable, unpatched programs on their systems.

Microsoft started to get their act together on updates about 10 years ago, steadily making Windows Update more automatic and more mandatory.


It struck me at the time, now seemingly a long time ago, that Microsoft was in a position to help improve the updating of third party applications by letting them use the Windows Update mechanism. It wouldn't be necessary for Microsoft to actually deliver these updates from their own servers, but to open up the Windows Update process to call updaters from the third parties. Windows Update could use special code signing keys to make sure that only vendors they allowed in got to deliver updates through Windows Update, and also to give Microsoft a way to revoke update status from those updates.

The benefits, I felt, were substantial: Users would have exactly one interface through which updates would be delivered and they could be trained to look for those updates. The fact that they came, at least in part, from Windows should make them more credible.

I talked to Microsoft and wrote columns about it back in the mid-00's. The best answer I could get, unofficially, was that it was too big a liability problem. This answer was plausible, but uninspiring. Microsoft clearly had and has an interest in third parties keeping their Windows software updated and they were chickening out on a good way to address it.

Then the iPhone came along.

From a security perspective, the major game-changing characteristic of iOS is Apple's active and strict control over what software gets delivered to iOS devices. Just as all apps on the device must be delivered through the store, so must all updates to those apps. Apple had the nerve to do what Microsoft didn't. (Of course, Apple has always been more bold at telling their users what they can and can't do.)


Microsoft has largely adopted Apple's store practices for Windows 8 apps, including the centralizing of app updates. That's the good part. The bad part is that it only works for the new Modern UI (Metro) apps, not for classic Desktop apps. There's no practical way to retrofit the new scheme to Desktop apps and, from Microsoft's perspective, it would just perpetuate the "old" app model they are not especially encouraging at this point.

But, in the long term, it should improve the steadiness of updates of third-party apps on Windows systems.

That still leaves the user problem: Just because there's a big, obvious number on the Store icon doesn't mean users will take the hint. I've seen many an iPad and iPhone with a double-digit number on the App Store icon and the user perfectly willing to ignore it. Alas, we can't yet reprogram the user.


Editorial standards