Wednesday, July 07, 2010

Microsoft: Where’s my universal updater?

When running the operating systems that Microsoft hilariously called “hobbyist”, I get a central program that manages updates to all of my installed applications. It looks like this:

ubuntu-update-manager-198-updates 

                                   Above: A real updater

Now, I’ve heard that Microsoft may build an app store into Windows 8. I imagine (hope!) that it will include updates. But updates are something we need now. With the plethora of application level attacks, especially against Adobe Reader and Flash Player, it behooves Microsoft to make updating easier. Today, I think I have about a bazillion (OK 14) updaters on my system. Some of these run automatically and slow down logon. Others run as a scheduled task “every Saturday evening at 9:11 PM” (Apple) while my computer is asleep and so never actually run. In fact, since users rarely reboot anymore and just use sleep or hibernate many of these “run at logon” updaters don’t keep you very up to date either. Some updaters are built into the applications themselves and don’t pop up until you actually want to do some work in the app. Some, like the Adobe ones, seldom even work.

One good thing came about as part of this last round of Adobe Reader exploits being used by malicious advertisements served up on legitimate sites by ad networks. That’s right: both my boss and my brother in law were infected with unknown variants of some awful fake anti-virus product (variants of aVsoFt AvSuiTe) via drive by installs using a Reader exploit that was patched on June 29th. I had to submit samples to Sophos, Microsoft, and Symantec to get definitions that would detect these (both were different and the def that came out after the first one did not detect the variant a week later). The good thing that came out of it? Other folks who heard about their issues went back and updated their machines! However, they did NOT have an easy time of it. There is no single place to go to check to see “am I up to date?” As I’ve said, the various updaters are disjointed, often dysfunctional, and obtuse. For example some don’t work through authenticated proxy servers. Others try to foist crapware, foistware, and spy toolbars on you in addition to the updates. In all cases, each vendor is re-inventing the wheel (some well, some not so well) on things like update detection, update validation, downloading, and installing.

So, what should we do?

We get to continue slogging through these ridiculous hoops to get updated in the short term. In the long term, let’s lobby Microsoft hard to get these things done:

  • Create a “Windows, Applications, and add-ins” updater and evangelize it with all the ISVs in the Windows ecosystem – small and large.
  • Publicize how vendors need to create their updates and help some initial volunteers through the process.
  • Make it secure, but easy and free for the ISVs. They have their own QA / test / publishing rules already – Microsoft just needs to be able to have non-repudiation that the source of the updates is actually the vendor in question. If you can give me 25 GB on skydrive for free, you can give these updates some space too (I know akamai in bulk costs more than what you are absorbing for skydrive but still – this is needed). Get out your wallet.
  • Make it work with add-ins for programs like Outlook, IE, and Firefox – not just major application installs.
  • Go do it today; get it done!

Once this service exists, lobby all of your vendors to get on board ASAP. If (for example) Oracle or Open Office doesn’t want to play that counts as a point against them in a product evaluation. If Adobe signs up early and has it working well – that’s a point in their favor when doing an evaluation.

Update overkill

Here’s a sample of the updaters on my machine. This is a simple test machine that doesn’t have a lot loaded. Hard to believe, but it is true:

WindowsUpdate2

Perhaps all updates should be through the above interface?

 

Silverligh

Silverlight needs its own updater?

 

Picassa

At least Picasa is up to date!

 

Paint

Paint.Net’s updater doesn’t work through a proxy server

 

MSE

 

Lenovo

Great, advertisements in the Lenovo updater.

 

Java

I would be that Oracle won’t sign up to have their updates done through Microsoft. Users however will see that as a strike against them.

 

Flash-IE-1

As you can see, the Adobe one tries to come with the Google spy bar. Quit that!

 

Flash-FF-7

Like I said, the Adobe Flash Download Manager fails all the time.

 

Firefox

This was the Farmville update and had nothing to do with security.

 

Creative

 

Chrome

 

Apple

Note the “foistware” – a lousy browser.

 

AdobeReader

 

Boy is that a lot of updates and updaters or what? After awhile, you realize that a lot of other applications that you use need updates too, but don’t have an updater at all. Here’s just a few of them from my machine:

NoUpdates

Darn, no updates for these.

 

Wrap up

So why are you still here? If you are with Microsoft, go get started on this now. If you aren’t – find the nearest Microsoft representative and hit them up for this. Feel free to send them a link to this blog entry if you don’t feel like typing it up for them.

Monday, July 05, 2010

Flash: Hey Adobe, learn to write an updater!

As we all know, Adobe Flash has had more than its share of security vulnerabilities and the concomitant flurry of updates recently. I’ve recently seen several machines where the Flash updates just don’t work. It seems to screw up on all kinds of things:

  1. People tend to only reboot once in awhile now that sleep/resume works well. They’ll now reboot at maybe monthly intervals. Up comes the flash update message and they tell it to update. Who knows what the logic is in the updater, but it will pick one (Firefox or IE) to update. It updates that one and leaves the “other” Flash vulnerable. Fail.
  2. A person goes to the Adobe site to update Flash themselves. After they get through the screen where they need to turn off unneeded security scans from McAfee, spyware toolbars from Google, etc. and actually get the download it wants to install the Adobe Download Manager (or DLM). This wondrous tool loves to install, download the update, then randomly show that it failed. Convince it to try again and it says something to the effect that “no, I said I failed you moron”. So then you try to update your other browser and that one works. But the one where DLM failed doesn’t even have flash anymore. Well, at least it is secure. The other part of this is that Adobe is doing their best to hide the download links for install_flash_ax.exe (ActiveX) and install_flash.exe (NPAPI) so that you can only get things with their busted-ass DLM. Fail.

Please, Adobe: Put the links to the actual EXE downloads back at a higher level on your site with text like this, “In the all to common event that our DLM fails to update your install of Flash, download the appropriate updater here.”

Oh yeah – and fix your DLM. While you are at it, make the updater that appears when users logon to their machine update ANY and ALL versions of Flash on the machine.