Microsoft has borrowed quite a bit from both Mac and Open Source world in the recent years. One of the many things that they still suck at is software installation and updates – a problem the open source community has definitively solved several years ago. For example, my Ubuntu machine keeps all my software up to date automagically. Every once in a while, I get a notification in my task bar that lets me know there are updates to be downloaded for this or that application. It doesn’t matter who wrote these applications, or where they came from – they are all managed by a single system: apt. Whenever someone releases an update, it eventually ends up in the repositories, and consequently on my desktop. It’s clean, simple and does not require any thinking or planing on my part. It also does not bog down my system.
How do you maintain applications on Windows? It’s a mess? Every piece of software you install on your machine these days comes with it’s own mechanism for downloading new updates. Adobe puts a resident process in your memory. Firefox calls home every once in a while while you use it. So does your Antivirus suite. On it’s own, each of these systems is adequate, but if you put all of them together you end up with a dozens of resident update checkers sitting in your memory, littering your tray and wasting your bandwidth. You can of course switch all these features off, but then you must remember to update them by hand.
What happens if you don’t? You become vulnerable. For example, if you are using an outdated version of Adobe Reader you are really asking for it considering how often it’s bugs are exploited these days. And when I say you, I don’t mean you in particular.
Let’s face it – if you are on this blog, you don’t have a malware problem. I can run an outdated machine and never get it infected because I know how 2 internet and so do you. Sadly, we seem to be in the minority. Most computer users are the people who tell me my blog is boring and then ask me for free tech support. These people are most vulnerable to un-patched security holes in third party software because they:
- Always run as administrator, disable UAC or train themselves to click Ok/Allow without reading the prompt
- Are inexplicably drawn to malware dispensing websites
- Habitually click on weird popups and email attachments
Exploits using security holes in the Flash, Quicktime and Adobe Reader are especially nasty since they can often be used to run arbitrary code on the user’s machine by just visiting a website. How do you keep these products updated?
It’s a mess. Each application usually has its’ own resident update checker. On an average machine you will usually see update monitors from Apple, Google, and Adobe. Quick Books, Quicken and various other tax and accounting packages like to use their own services as well. Each printer/fax vendor likes to use their own monitoring software as well, so I often see people running resident updaters from HP, Brother, Cannon, Lexmark and etc. Same goes for webcam software, digital camera drivers and etc. I have seen machines that had over 20 different update services running at the same time either as resident memory processes or scheduled tasks.
It is a clusterfuck, and it does not need to be one. We already have a fairly elegant centralized update mechanism. It is called Windows update and it does exactly what Synaptic and similar tools do for Linux. It checks your software versions against an online repository and downloads updates and patches as needed. The main difference is that Linux tools allow the user to specify which repositories should be checked. Windows Update only checks Mircosoft’s own update repository.
I know this will never happen because Microsoft is what it is – a glacial corporate Monolith that is not as much evil as oblivious to anything that does not increase it’s profit margins. It ultimately does not care about innovation, customer satisfaction or silly things like common decency, business ethics or local laws. Whatever, it’s been like this for years and it’s not going to change any time soon. But, if I was to give them a suggestion I would say this: create a public API for Windows Update service that would allow third party vendors build their own repositories and push updates to end users.
Note that I’m not saying that Microsoft should host these updates. Nor should they check them for validity or even care what they are. No, I’m saying they should do exactly what Linux has been doing for years. Give user the ability to choose which repositories they want to pull updates from and simply make the service connect to a given URL, check whether or not updates are available, download them and silently install them in the background. For security reasons they could use some sort of signed certificate to verify the software vendor has been approved – so big corporations such as Adobe, or nVidia could have their updates be pushed out without a hassle. If user would add a repository that did not purchase a valid MS certificate the update service would pop up a big warning letting him know he might be signing up for express malware delivery service. Still, knowledgeable users should have to option to subscribe to unverified repositories – just like they have the option to accept an invalid SSL certificate in their browser.
If you were a developer and you wanted to distribute your software via Windows update you would simply need to publish your msi files in a web accessible directory with an appropriate metadata and/or certificates and instruct your users on how to add the URL for that directory on their system via some Control Panel app or whatever. Wouldn’t that be neat?
It’s not going to happen – I’m sure of that. But a man can dream. It would really solve the update problem for good.
aaand you did it again!
GET OUT OF MY MIND! STOP READING MY THOUGHTS!
*g*
*hugs apt-get*
no comments about aptitude ;)
Filehippo did a decent try at addressing this problem, with their Update Checker. Of course, it “only” covers freeware and open source software, but it’s still a nice bunch of apps!
While by no mean as smart as apt or other package managers (it scans your computer for installed apps and generates a list of links to download updates from the Filehippo site), it is still quite useful.
Your are a little unfair when talking bout Microsoft. They did lots of sneaky things to get updates a little less messy in Windows 7.
-The Uninstallmanager now shows you the version numbers of the programs installed
-Hardwaredrivers are downloadable from the Microsoft Update Server and Updates are available too.
– Games can also be updated automatically or manually if wanted
But most importantly, its not microsofts job to keep your software updated. If they update your software, they are responsible that it stops working and so on and on
Think about that….
@ ST/op:
Ah, yes. File hippo. I forgot to mention it in the post, but I was thinking about it while writing it. It is sort of a half-way measure. It would be almost perfect if it could silently install all the updates in the background once the user approves them, interrupting him only to agree to an ULA if necessary.
@ MrJones:
Haven’t really had much time to mess around with Windows 7. I made the jump to Vista only few months before Windows 7 hit the shelves. :P
But no – they don’t have to be responsible for the software they update. If the user adds a non-microsoft repository to Windows Update it should mark it as external and let the user know it is not supported and Microsoft is not responsible for it breaking.
All I’m asking for is for a feature that can fetch an MSI file from a remote server and install it in the background and then periodically check if an update was released.
MrJones wrote:
But it *should* be. Aren’t they paid to provide an OS? That’s an important function of every OS, so they should be responsible for it.
Sure, if the repository has problems, it’s not their responsibility, but the updater should warn the user:
“Couldn’t update app X! Please contact company Y and ask for support”
But I thought Windows had something similar for enterprise environments – to allow IT managers to distribute updates network-wide. But I guess it’s for manual updates, and probably doesn’t provide an API.
There was a promising sourceforge program a while ago – win-get. It just did installs, but promised to handle updates in the future. I don’t think it ever got there, and it seems unmaintained now.
Also, adobe’s download manager is the biggest piece of bloatware I’ve seen in ages. Updating reader – which is a gargantuan mess already – shouldn’t grind my computer to a halt for any amount of time, certainly now for 5 minutes.
I think the exploits in reader & flash are just further evidence of how dangerous a monoculture is. If everyone switched to foxit and silverlight or html5 + vorbis, the exploits would simply be found there.
Not only MS but OSX also suffers from this. The software updater handles official updates from Apple, but not others.
I’d love being able to load 3rd party repos for both Windows and OSX official updaters.
It’s definitely not elegant, but I find running filehippo’s udc alongside secunia’s psi weekly helps keep windows applications relatively updated.