Originally published at: http://www.howtogeek.com/168831/htg-explains-do-you-need-to-worry-about-desktop-application-updates/
There was a time when we had to worry about manually updating desktop applications. Adobe Flash and Reader were full of security holes and didn’t update themselves, for example — but those days are largely behind us.
App Update Checkers Aren’t That Great
IMO filehippo.com is not bad at all.
Automatic updating often doesn't work as you want where the install path is customised, especially if the old version is uninstalled. Then you may not want start menu shortcuts, and may have previously moved them to a folder in the start menu. The automatic update will almost inevitably leave you with shortcuts (or a folder) in the root of the start menu, and often with an unsought desktop shortcut too.
Some programs also add a background process for updating, chewing up RAM.
Agree with Cyber- filehippo does a good job
I agree that app update checkers aren't as bad as the article demonizes them as long as one doesn't have unrealistic expectations of what they can or should do. Although it has gone downhill somewhat in the past couple of years, I still like Secunia PSI. The only complaints I have about it is their website has gone down for a day or two a couple of times in the past year (big deal) and it insisted on telling me I needed to update Sumatra PDF Reader on both of my present machines and the previous desktop I had (I've never had Sumatra on any of those machines). Even then, all I had to do was set PSI to ignore Sumatra and I got no more false positives (so, again, big deal).
By having "unrealistic expectations", I was referring to one expecting PSI to do all their updating for them. Do that and one is likely to be disappointed or unpleasantly surprised. Updates may happen unexpectedly, which could cause unexpected restarts, the updates may not happen at all, etc. I have PSI set to just notify me when updates are available, then do the updates when I find it convenient by either using PSI or by using the program needing updating itself. Many programs do a good job of policing themselves for needed updates so PSI is especially handy for those that don't check for updates, programs I don't run often enough to give themselves a chance to police themselves, and/or programs I don't allow to "phone home". That arrangement has been working very well for me.
I haven't tried Cyber-hippo yet since I'm satisfied with Secunia PSI but I've been seeing good reports on it.
"Of course, Windows is also capable of automatically updating itself via Windows Update. This process is much more seamless than it was back in the days when users were forced to manually visit the Windows Update website in Internet Explorer to check for and download updates."
For those who haven't any experience with other OSes, this update process might seem 'seamless' - however, for the user's work to be disrupted (default settings) by an OS update and then have to wait forever as the system updates on shutdown and bootup for what seems ages is unforgivable. In Mint, an update notification consists of a white exclamation mark in a blue shield icon on my taskbar: I can click this when I'm ready, disrupting no work. Then, the update process takes place, updating ALL software and drivers and everything! Moreover, updating almost never requires a reboot, and the reboot process takes no longer than usual.
Bad, arrogant design, MS. Needs to be re-thought from the ground up, as does the entire OS.
I like the article. I've never really thought about updating except when needed. Being old school, I'm just glad the most used and/or most vulnerable have a
option, and some allow you to control auto, notify or never.
I do use a driver updater that I run once in a while at no set time, or when I notice a problem that looks to be driver "driven", otherwise I let them police themselves and watch for things like "Java's messed up!"
Now that it's brought to my attention though, I would like to see a program that works similar to an uninstaller, where it scans everything on your computer, then shows you all the programs you have loaded. Then allows you to select how updates are handled, by the individual program or by the updater with auto, notify or never whichever you choose to handle those updates. And with a time function, so for the autos you could set them when you want (at night when your asleep once a week or month for instance) that's about the only real thing I like about the way Windowz handles things.Otherwise I like the way My Ubuntu handles updates better.
Windows 8 improves the update situation somewhat in that it will wait 4 days before automatically restarting and it will show a notice on the lock screen when that restart will happen.
It sucks Windows didn't get a generic app/program store for WinXP/7/Vista/8 instead of only the silly Metro store.
I am shocked to see such an article on the web, much less on How To Geek.
ALL applications (not just browsers and the like) are susceptible to hacking and being used as penetration vectors by those intent on doing you harm. Running old code, no matter what the application, can leave you vulnerable to abuse and theft of any information on your PC.
Information theft and abuse does not always come through the web (as this article seems to suggest). Insecure code at a small business can put employee and client information at risk of being captured and used by a disgruntled employee or even a nightly cleanup crew. Not to mention that it is now easier than ever to hack not only WEP (yes, many businesses STILL use WEP although I cannot, for the life of me, tell you why) and WPA/WPA2 wireless networks.
Once inside your network, a disgruntled worker (or determined Wi-Fi hacker) can easily take advantage of old SQL, MySQL and Orcale database flaws. And, databases are just one attack vector. There are far too many to list them all here. Just look here for a small list of local exploits - http://www.exploit-db.com/local/ .
Anyone concerned with security should ignore this article, check ALL of their software for updates. Not doing so places you, your employees and clients at risk.
And, I would humbly suggest that How To Geek remove this unfortunate article ASAP.
We are not talking about business software in this article, which is clearly written for end users. Naturally, businesses will need to keep a lot of other software updated, but home users don't use most of that.
The fact is that virtually every application with a possible attack vector for end users... already has a built in updater. So you don't have to worry about it.
That's really the point. We aren't saying not to update your software. We are saying that software update checkers are selling fear. Just like all of the security vendors.
Ok. Forget businesses. Home users still have resumes, social security numbers, emergency contact info, website and work email addresses, logins and passwords stored (lots of times as plaint text files) on their PCs.
And your assumption " that virtually every application with a possible attack vector for end users... already has a built in updater." is just plain wrong. While that assumption would be correct about most modern software, we are (and this article is) talking about out of date software. It wasn't until relatively recently that even Flash began auto-updating itself. There are thousands of apps and versions still on people's PCs that do not have this capability.
As for people selling fear, I guess that is sometimes right. But there are things (and people) to fear. Out of date software is one of those things. Telling people the truth about their vulnerabilities does not mean that you have to send them to some security vendor or unscrupulous vendor that will take their money for nothing.
There are free alternatives for people to check their software (like FileHippo.com and I think Secunia offered a free version for home users as well).
There are always alternatives to sticking your head in the sand and hoping everything turns out ok.
Can you give me one example of an active attack on a piece of old software that doesn't have an updater?
The fact is that almost every single attack is on easy targets like web browser plugins... Or through social engineering and getting somebody to install malware on their PC. Neither of which are helped by Secunia.
It is also worth noting that old software that doesn't have update checkers.... Do not actually have updates. Hence them being old and outdated.
We aren't telling people to never update. Just saying that third party update checkers aren't the best thing since sliced bread.
I don't remember any HTG Member ever recommending Secunia and I've been on this board a very long time.
I'm not here to argue with you. I have given you a link to vulnerable software. If you, or your readers, want to know which don't have updaters, you can look through the list. I highly suggest doing so. It is very enlightening.
In my professional opinion (30 years teaching programming and doing programming & network administration for Fortune 500 companies) doing or saying ANYTHING that causes a person to relax their stance on security is unwise. Even when people are told to be vigilent, they are not. And, when you tell them to relax and not worry about updates so much, what they hear is "forget updating, everything is fine".
IMHO (for whatever that's worth) this article was irresponsible and is not refective of the excellent advice in 99% of the articles that I have come to enjoy on How To Geek.
I highly recommend How To Geek to my clients and thier children that are seeking to grow their understanding of their increasingly technical world. However, I must tell them to ignore this article - that it is an abberration in an otherwise stellar collection of articles on technology.
I've recommended Secunia PSI numerous times and have seen others do so. I normally don't recommend letting it automatically updating programs, though. It's much safer to let it notify the user that a program may need updating and let the user decide on the proper action.
We all got +40 years of experience with computing so we need no speeches here.
Unfortunate, but true in a lot of instances (when applied to the vast majority of computer users, I'm married to one). But I believe when applied to anybody that is interested in learning about computers, you must also take into account that by the time they do become interested, for the most part they will have seen the problems inherent in not keeping soft updated. Take for instance the recent problems Java is struggling to over come. The vast majority of users (the ones I've encountered anyway) for the most part, still don't understand what was going on, but, for anybody that is learning, or just interested in what was going on, the info is and was available and for the most part they were the ones who took steps, whether they took action on their own, or had help.
I still think the
But on the other hand, what I'd really like to see is Windows take a page from Linux, and use an integrated updater that tracks all soft on your computer and allows you the freedom to choose from the 4 W's, then they will have taken a huge step in my book to safety and security (and piece of mind)
Here the issue is why MS does not take the step to include these no brainers into their OS? We pay to get their OS and then some us like to go and get these add-ons, which you can get free most of the time. For instance what is it to MS to crank in an automatic Software updater? Just that they are stubborn, nothing more. That combine to the fact that their documentation with respect to their own TOOLS is pretty scanty and cryptic. One has to look for it for sometimes hours to get it right. When a little simple, kiss me quick, freeware does it in 2 minutes... If MS does not learn about the customer needs and how to treat them they will go the same route that IBM went, and that's fine if that's what they want! Everybody is sovereign in its life.