Microsoft has borrowed quite a bit from both Mac and Open Source world in the recent years. One of the many things that they still suck at is software installation and updates – a problem the open source community has definitively solved several years ago. For example, my Ubuntu machine keeps all my software up to date automagically. Every once in a while, I get a notification in my task bar that lets me know there are updates to be downloaded for this or that application. It doesn’t matter who wrote these applications, or where they came from – they are all managed by a single system: apt. Whenever someone releases an update, it eventually ends up in the repositories, and consequently on my desktop. It’s clean, simple and does not require any thinking or planing on my part. It also does not bog down my system.
How do you maintain applications on Windows? It’s a mess? Every piece of software you install on your machine these days comes with it’s own mechanism for downloading new updates. Adobe puts a resident process in your memory. Firefox calls home every once in a while while you use it. So does your Antivirus suite. On it’s own, each of these systems is adequate, but if you put all of them together you end up with a dozens of resident update checkers sitting in your memory, littering your tray and wasting your bandwidth. You can of course switch all these features off, but then you must remember to update them by hand.
What happens if you don’t? You become vulnerable. For example, if you are using an outdated version of Adobe Reader you are really asking for it considering how often it’s bugs are exploited these days. And when I say you, I don’t mean you in particular.
Let’s face it – if you are on this blog, you don’t have a malware problem. I can run an outdated machine and never get it infected because I know how 2 internet and so do you. Sadly, we seem to be in the minority. Most computer users are the people who tell me my blog is boring and then ask me for free tech support. These people are most vulnerable to un-patched security holes in third party software because they:
- Always run as administrator, disable UAC or train themselves to click Ok/Allow without reading the prompt
- Are inexplicably drawn to malware dispensing websites
- Habitually click on weird popups and email attachments
Exploits using security holes in the Flash, Quicktime and Adobe Reader are especially nasty since they can often be used to run arbitrary code on the user’s machine by just visiting a website. How do you keep these products updated?
It’s a mess. Each application usually has its’ own resident update checker. On an average machine you will usually see update monitors from Apple, Google, and Adobe. Quick Books, Quicken and various other tax and accounting packages like to use their own services as well. Each printer/fax vendor likes to use their own monitoring software as well, so I often see people running resident updaters from HP, Brother, Cannon, Lexmark and etc. Same goes for webcam software, digital camera drivers and etc. I have seen machines that had over 20 different update services running at the same time either as resident memory processes or scheduled tasks.
It is a clusterfuck, and it does not need to be one. We already have a fairly elegant centralized update mechanism. It is called Windows update and it does exactly what Synaptic and similar tools do for Linux. It checks your software versions against an online repository and downloads updates and patches as needed. The main difference is that Linux tools allow the user to specify which repositories should be checked. Windows Update only checks Mircosoft’s own update repository.
I know this will never happen because Microsoft is what it is – a glacial corporate Monolith that is not as much evil as oblivious to anything that does not increase it’s profit margins. It ultimately does not care about innovation, customer satisfaction or silly things like common decency, business ethics or local laws. Whatever, it’s been like this for years and it’s not going to change any time soon. But, if I was to give them a suggestion I would say this: create a public API for Windows Update service that would allow third party vendors build their own repositories and push updates to end users.
Note that I’m not saying that Microsoft should host these updates. Nor should they check them for validity or even care what they are. No, I’m saying they should do exactly what Linux has been doing for years. Give user the ability to choose which repositories they want to pull updates from and simply make the service connect to a given URL, check whether or not updates are available, download them and silently install them in the background. For security reasons they could use some sort of signed certificate to verify the software vendor has been approved – so big corporations such as Adobe, or nVidia could have their updates be pushed out without a hassle. If user would add a repository that did not purchase a valid MS certificate the update service would pop up a big warning letting him know he might be signing up for express malware delivery service. Still, knowledgeable users should have to option to subscribe to unverified repositories – just like they have the option to accept an invalid SSL certificate in their browser.
If you were a developer and you wanted to distribute your software via Windows update you would simply need to publish your msi files in a web accessible directory with an appropriate metadata and/or certificates and instruct your users on how to add the URL for that directory on their system via some Control Panel app or whatever. Wouldn’t that be neat?
It’s not going to happen – I’m sure of that. But a man can dream. It would really solve the update problem for good.