ANTenna Blog -- Hardware & Software

Some recent Mozilla stats go a long way towards explaining a major problem with desktop software security. But maybe they don't go far enough.

Last week, Mozilla issued its latest set of Firefox browser updates. When the company notified users, it also alerted those running an outdated, and potentially dangerous, version of Adobe Flash. According to a Channel Register article, the results were not encouraging:

Of the 6 million or so people who upgraded to either 3.5.3 or 3.0.14 of Firefox on its debut last Thursday, slightly more than 3 million of them were found to be running an outdated Flash version, according to Mozilla's Ken Kovash. Sadly, only about 35 percent of those informed they had an insecure installation clicked on a link to upgrade to the latest version.

That suggests that some 2 million Firefox users remained vulnerable to remote exploit attacks even after Mozilla presented them with a warning that said "your current version of Flash Player can cause security and stability issues" and added "you should update Adobe Flash Player right now."

There is some good news here: According to Mozilla, the 30 percent click-through rate for the Flash update link was six times higher than the usual number who follow through on such alerts. Those figures, however, still leave millions of Firefox users running a version of Flash that could expose them to very serious security risks.

Why are do so many users, in spite of these warnings, leave their systems vulnerable to such exploits? I think a few other problems play a role here:

- Bloatware fatigue. Adobe, like so many other software vendors, appears to be more interested in pushing users towards major new releases than in keeping them secure with strict quality control and prompt, incremental bug-fix updates. And Adobe, like so many other vendors, loves to pack its new releases with dubious "improvements" that impose a noticeable performance hit on users' systems. Many of us, given the choice, decide to take our chances with the current version.

- Paranoia. How many of us have seen popup boxes that scream warnings at us about malware, security holes, and dire risk to life and limb? How many of those popups are actually attempts to trick users into installing malware? At this point, such ploys are so common, and so potentially damaging, that users assume -- not without good reason -- they should avoid installing unsolicited "updates" no matter who recommends them.

But maybe the biggest problem here involves the process or checking for and installing software updates on a Windows PC. Or perhaps I should say the lack of a process.

Microsoft, of course, alerts users to patches and software updates on a weekly basis. With very few exceptions, these updates deal only with the Windows OS and integrated applications such as Internet Explorer.

Most other desktop applications offer their own, completely independent, software update alerts. Some of these only work when a user starts the application and actually checks for updates; others install updaters that start up with the user's system. The former are often not very effective, for obvious reasons. The latter tend to pile up, one at a time, until the cumulative weight of this nagware drives users to disable them en masse.

An alternative approach to software update management does exist. Once you try it, you'll wonder why Windows users don't take this problem far more seriously.

Most Linux distros provide desktop software through online repositories. These provide one-stop shopping for a huge number of applications, drivers and system utilities. They also provide a single point of access for software updates and security patches.

Keep in mind that while some repositories contain only free and open-source software, others are less restrictive. Ubuntu, for example, maintains four sub-repositories that divide available software based upon its open-source status and whether Canonical provides support. The Ubuntu "universe" repository includes third-party software distributed under more restrictive licenses -- including Adobe Flash and Reader.

While it is up to the software developer, and not Canonical, to provide security fixes and support for such software, the repository offers a quick and easy way to install updates as soon as they become available. A Linux desktop system will check the repository on a regular basis; when updates are available for installed applications, it will either alert the user or, if desired, install the updates automatically.

Not every desktop Linux application is installed from a repository, but the vast majority are. And while some distros' repositories are better than others at keeping software updates as current as possible, most of them do a pretty good job.

Actually, they do a fantastic job compared to the spotty, inconsistent, hit-or-miss approach that Windows users are forced to accept.

Software update management does not make or break a company's desktop OS decision. But if the process of staying one step ahead of the latest desktop software exploits is turning into more trouble than it's worth, then I think you have one more very good reason to try desktop Linux.