Microsoft on Tuesday slammed the door on updating third-party software via Windows Update in the upcoming Windows 8.
One security expert said the company was missing a big opportunity to improve the overall security of Windows PCs.
The new operating system will not update non-Microsoft software, said Farzana Rahman, the group program manager for Windows Update, in a blog post.
“The wide variety of delivery mechanisms, installation tools, and overall approaches to updates across the full breadth of applications makes it impossible to push all updates through [the Windows Update] mechanism,” said Rahman said. “As frustrating as this might be, it is also an important part of the ecosystem that we cannot just revisit for the installed base of software.”
Rahman’s statement was the clearest ever by Microsoft that it would not take other applications under its update wing.
Currently, the company offers customers updates to Windows drivers — third-party files required to run the OS — via Windows Update, and occasionally disables third-party ActiveX controls in Internet Explorer (IE) at vendors’ requests. And that’s how it’s going to stay, Rahman said.
She did add that Microsoft feels its customers’ pain.
“People clearly find the experience with multiple updaters on the system less than optimal, and we agree,” Rahman said. “Each application updater gives you a different experience, you have to remember to go visit each updater to install updates, you never know when or how updaters will run and what they might do, and so on. People would like one updater for the entire system.”
Yes, they would, said Wolfgang Kandek, chief technology officer for Qualys, and an advocate for Microsoft’s updating other companies’ Windows software.
“I understand the thinking,” said Kandek of Microsoft’s reasons for not pushing third-party updates, “but at the same time, it’s a little disappointing. Microsoft could collect a huge amount of goodwill by doing this, and it would be a huge leap for security.”
Kandek argued that although even Microsoft doesn’t have the resources to validate every application’s update, it could certainly focus on the most important vendors whose products need to be constantly updated. His examples: Adobe’s Reader and Flash Player.
“I would argue that there are certain organizations, and Adobe is one of them, where [Microsoft taking on updating duties] would be possible,” Kandek continued. “There are only a couple of [vendors] that they would need to address, and they’re mature companies with well-tested updates.”
Both Flash Player and Adobe Reader have been patched multiple times this year: Adobe has issued nine security updates for the Flash Player and five for the Reader so far in 2011.
Others, including Danish vulnerability tracker Secunia and some readers of Rahman’s blog, have called for a unified update mechanism for all Windows software.
Two years ago, Secunia pitched an updating standard but couldn’t drum up any support. Instead, Secunia released PSI 2.0, a utility that scans a Windows machine for a wide range of software, detects when that software is out of date, and leads users to relevant update sites where they can download the newest editions.
Rahman’s readers weighed in, too.
“You could focus a new third-party update functionality on these relatively few, incredibly common programs,” said someone identified as “JustSomeWinGuy” in the blog’s comments. “A relatively small bit of new effort by Microsoft could pay huge dividends for many millions of end users.”
But Microsoft has spoken.
“Microsoft’s doing some great work [with Windows 8],” said Kandek, talking about some update streamlining the company revealed Tuesday. “But it’s really too bad they’re saying we won’t integrate other applications in Windows Update. It would be a real boost to everyone’s security.”