Windows Needs a Package Manager

It's probably safe to assume that most computers are running some sort of insecure application. That's not always the fault of the administrator (in a business) or the end user (at home). After all, if an existing vulnerability hasn't been discovered or made public yet, then we certainly can't work to mitigate the problem. On the other hand, if administrators and end users of PCs aren't checking for known vulnerabilities and the availability of updated versions of their software, then responsibility for related insecurities resides firmly with them.

According to data gathered by Secunia (available at the URL below), approximately 95 percent of all computers have one or more insecure applications installed such that remedies to those insecurities exist but have not been integrated. The bottom line is that most people are not patching or upgrading their software when security updates become available.

Secunia gathered the data using its free Personal Software Inspector (PSI) tool, which is available for Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The company said that the data is based on information collected from 20,009 new users of PSI during the first week of January. Secunia didn't indicate whether those users were scanning their private computers or computers on a business network, nor does Secunia ask for such info before allowing people to download PSI. However, it's obvious that people who use PSI are concerned about security. So Secunia's data is even more interesting, because there's a big probability that people who aren't concerned about security have even more insecure applications on their systems.

One complicating factor with software updates is quite simply awareness. If people don't know an application has an update, they can't choose to install it. As you know, the applications that don't offer some sort of automated update notice outnumber the applications that do offer notice. How many people routinely surf the 'net looking for updates to all of their applications? I suspect the answer is not many. So the use of a third-party patching tool is vital, especially for home users who make up the majority of computer users. That raises another problem: How will people find out about such tools?

In thinking about all this, it occurred to me that since Windows runs on most computers, Microsoft is in a position to take its security efforts a gigantic leap forward by either co-marketing a tool such as Secunia PSI or developing some sort of update alert API that third-party application developers can hook into. So, for example, when someone installs a new application, that application can use the hook to alert people about software updates and provide information about how to obtain and install the updates. Of course, this sort of functionality could be created by any third party, but Microsoft is in the best position to quickly distribute it far and wide.

You may know that this sort of functionality has long since been available in the open source community. If you're familiar with Linux, you know that most flavors have a package manager, which is basically a front end for a giant repository of data about countless third-party applications that are all packaged for easy installation. Individual developers maintain each particular package in a decentralized fashion, so updates to any particular package can become available at any time.

To ensure that a Linux system stays as up to date as possible, a user needs to do two simple things: Only install new applications by using the package manager (e.g., don't use independent software installers unless absolutely necessary), and periodically run the package manager's update routine to update all installed software. That's it. A couple mouse clicks or commands (if you prefer the command line) brings you a complete system update across all applications regardless of who developed the applications. Could it be any simpler than that?

Unfortunately, Windows itself has nothing close to that type of functionality. Granted, Microsoft Systems Management Server (SMS) has an "Inventory Tool for Custom Updates" feature that can help update third-party software. But as far as I know, there's no such tool from Microsoft for people who can't justify using SMS, such as many small businesses and home users, who probably make up the vast majority of Windows users around the world.

I'm sure nearly all of you would agree that such a facility would be a fantastic addition to Windows desktops. In fact, I can see how such a facility would be one of the biggest security improvements Microsoft could ever help to bring to fruition.

