WinRAR has a massive security hole that’s still being actively exploited, and it’s one of many Windows applications that do not auto-update. The developer boasts of more than 500 million WinRAR installations around the world, so it’s likely that hundreds of millions of PCs are vulnerable to malicious ZIP files today.
How is it that, in 2023, the world’s most popular desktop operating system doesn’t provide an easy way to update your installed applications?
It baffles me that Windows and macOS users still have to manually keep track of and update each and every one of their applications individually, like it’s 1997 or something.
Stay safe. It’s the wild west out there for some of you.
Even though it’s not microsoft’s responsibility to update sideloaded applications, it would be useful to just notify users that the installed version is vulnerable and provide a link to winrar’s official updates. Just this simple act of notifying owners could make a big dent in the number of vulnerable apps installed simply by making users aware of the situation.
Alfman,
I think that falls more into the responsibility of “Malicious Software Removal Tool”, which is part of Windows Update and acts like an on demand anti-malware:
https://www.microsoft.com/en-us/download/details.aspx?id=9905
And, yes, it is not the responsibility of the OS to control side loaded software. Otherwise we could as well say: “windows should only support apps from Windows Store”.
Imagine keeping track of the millions of apps that exists today, the issues, etc.!
kwanbis,
Well, the OS would not need to keep track of all apps in existence.only those apps installed that the user cares about. It wouldn’t be hard to give applications a standard update API for to register themselves with the OS updater so that windows could automatically poll for updates from a developer’s website/bittorrent/etc. Also the developer’s public keys could be registered that app updates from a publisher remain cryptographically secure. This way a user could have windows periodically check for updates or do so on demand. In addition to easy automated update functionality, it could also give users a quick glance at the status of updates for all installed application. Something like the “add/remove software” list in windows today, but with more capabilities to handle automatic updating.
This is how 3rd party software updates should work. It’s both easy and avoids all the mistrust and abuses of centralized walled gardens!
Hot take: Independence from middlemen such as repositories and app stores is a good thing when it comes to user freedom. It’s the reason you can get VLC with full codecs and libdvdcss on Windows, guaranteed, while on Desktop Linux some distros remove codecs (and most distros remove libdvdcss, because of course).
In that sense, Windows and macOS are the most open mainstream OSes from the perspective of the user who doesn’t care about source codes but does care about apps.
As an additional benefit, when the VideoLan guys release a new version of VLC, it becomes immediately available to all non-EOLed Windows versions, while on Desktop Linux you have to wait for it to filter down to your repository (if ever, if you are on an LTS you may never get the latest version). App Stores are somewhere in the middle (new versions become available with a small delay).
So, I kind of like Windows’s and MacOS’s middleman-free approach, though I think a vulnerability scanner for out-of-App-Store apps would be a welcome addition.
Oh, and let’s not forget that other benefit of the Windows and MacOS’s approach: If you are selling a paid app, you don’t have to pay a 30% tax to any App Store middleman or open-source your code so it goes into the distro repositories. It’s the reason Adobe Creative Cloud isn’t in the MacOS App Store for example. Or in your distro’s repositories.
To any people who think I am exaggerating about the whole “filter down to your repository (if ever, if you are on an LTS you may never get the latest version)” part, here is an article about VLC failing to hit the repositories of what was at the time the latest Ubuntu LTS:
https://www.omgubuntu.co.uk/2014/02/install-latest-vlc-release-ubuntu-12-04
But hey, you can install it from some weird third-party repo at your own risk (emphasis not mine).
Meanwhile, every PC running a supported version of Windows could get that version of VLC immediately from the official VideoLan website.
kurkosdr,
I faced this exact problem with the VLC distributed by debian. I could no longer stream video footage from security cameras after an update because debian decided to remove certain “non-free” dependencies from their repos. This was extremely frustrating and ultimately I fixed it by installing vlc from an appimage, which just works
I agree we need to be independent from centralized app stores so we can’t be held hostage to their policies when they don’t fit our needs. Whether it’s microsoft, apple, google, debian, whoever… They all have different motives, but ultimately owners deserve the freedom.
Out of sheer curiosity, what were those dependencies?
Not sure exactly what is missing from the official packages, but https://deb-multimedia.org/ is the way I know about to get media players for Debian with all the features.
kurkosdr,
Good question, I didn’t keep precise notes, but as I recall it was a live555 dependency.
https://wiki.videolan.org/Live555/
This debian bug report looks like the same problem with a lot more detail.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982299
I know they’re just following their policies on non-free software, but when reporting breakages the last thing you want to hear is “that’s expected”.
In any case, it’s still not working for me without bypassing debian repos. Not sure if it works under ubuntu/mint/centos/etc.
Theoretically I could submit a new FOSS project myself, but I’m not financially stable enough to do FOSS work for free. As I’ve grown older with a family and all, finances have only gotten tighter.
Having OS-level support for application updates does not necessarily mean having a centralized repository for applications. And on Debian and Ubuntu, I really do end up using some third-party repos for some applications. But I only have to think about them when first installing those applications, after that, the exact same “apt update && apt upgrade” checks for updates for everything.
AnyoneEB,
I do too. In principal 3rd party repos aren’t a bad idea but in practice the tooling built for linux distros in the 90’s isn’t user friendly when it comes to 3rd party use cases. Users want adhoc one-click installs, but deb & rpm repos are difficult to use for adhoc installations. Manually adding package keys, conflicting dependencies when 3rd party software isn’t perfectly in sync with your distro repos, etc.
I find that appimage/flatpak/snap are friendlier than repos for 3rd party installs, in large part because they solve the dependency issues differently.
Those kinds of issues aren’t inherent to traditional repository-based package managers, but rather with the tooling around them. On the OS I’m writing, I’m planning to add some extra tooling that hopefully will significantly improve package management at the system level, without having to use a parallel package manager like snap/flatpak/etc.
The issue of ad-hoc installations could be fixed with a utility that adds a repo from a single downloaded file. Another good idea might be to have support for a distro-managed “meta-repo” to allow third-party developers to make their repos accessible by default. Library conflicts could be solved by a lightweight containerization system that uses a separate immutable directory per package and binds those directories together into virtual environments for different packages, sharing the same user files and system services; this kind of thing should be reasonably easy to do (assuming the underlying OS provides the right APIs for it) with apt/dpkg since it is extremely modular.
andreww591,
Well maybe, the problems are twofold. Asking users to edit source.list, even using a front end for it, is just not intuitive. People may be able to get it to work by following instructions they don’t understand off of a website but what to do should be obvious and self documenting. Just as an example, here’s a link from another comment…
https://deb-multimedia.org/
Uck, this is not even remotely user friendly.
With software, we can build abstractions on top of other abstractions, which is what you are proposing. That might help hide complexity under the hood. but there are other problems that would be harder to address without fixing the repo itself. In my experience repos from uncoordinated sources can still create dependency hell, your really asking developers to stay on top of the ball cross checking their software against all the distros all the time, but it’s a lot of work and in the real world many developers won’t do that. Things like dependencies are a huge issue but also file paths.
Beyond this linux repos are generally vulnerable to root trust issues.
https://blog.ikuamike.io/posts/2021/package_managers_privesc/
It’s one thing to trust packages from your distro, which you already implicitly trust anyway, but adding 3rd parties keys to the repo keychain running as root to install some random software is grimace-worthy. And maybe you want users to be able to install software without running as root. And maybe you want to install software in a sandbox, etc.
Yes. By the time you end up fixing everything, you might find that you’ve needed to reinvent flatpak/snap.
Since you are developing an OS, I think you should take a look at gobolinux. IMHO they tackle some of the app problems at the source by simplifying app installs rather than building around the complexity. I kind of wish more operating systems could purge the low level complexity rather than incorporating it. (I faced these challenges in my distro as well, but I don’t want to stray too far from our topic).
I have to say, I agree. I quite like the idea of separation of roles. The OS is the OS and the apps are the apps.
My “happy place” is something like brew on macOS. I can install and manage all my updates for apps via this package manager. But my OS is independent of that.
Having run an IT department, the idea I can deploy all the apps required for a new machine by just running a script is the Dream.
In Windows there are multiple apps/services that offer a unified scan an update of apps. But they tend to be aimed at enterprise and come with a similar price tag.
Adurbe,
Windows has its own “brew”. In fact several of them.
Ninite (https://ninite.com/) has been around for a while to automate installs for a brand new system. And will also update/reinstall on demand.
Chocolatey (https://en.wikipedia.org/wiki/Chocolatey) is an idea spawned off of “NuGet” manager (.Net’s package manager) with more similar command line interface.
And of course there are many others (including apt-get itself for the Linux Subsystem):
https://www.hanselman.com/blog/aptget-for-windows-oneget-and-chocolatey-on-windows-10
Anyway, the “IT centralized” way might also be there, but I had no need for such a thing in the past, so don’t actually know it.
The fact that Windows has several package managers is not a good thing… And I’ve used them all – they all fall down in various ways. Mostly, it’s that Windows’ defaults almost require that you install everyting as admin, which limits the effectiveness of those package managers in a variety of ways. They are also unreliable, which sums up my general experience with Windows. I honestly think Windows users just don’t see how much time they waste maintaining Windows, because they just haven’t used something better (which is like, anything and everything else).
Yes, unfortunately this is a side effect of their backwards compatibility with everything since Windows 1.0 (if you have 32 bit version, which is still supporting 16 bit applications). It is obvious things were different back then.
Anyway, they might resolve this if their Containerazation work pans out. If not, “cruft” will continue to accumulate.
Those Windows enterprise app management platforms are also a complete nightmare from a user perspective.
Thom Holwerda,
They want users to use their centralized app stores, but the problem with that is that developers aren’t keen on the whole walled garden thing. It poses cons both financially and in terms of control/censorship/etc and it is reasonable for people not to want to be coerced into that.
The solution is a decentralized model, like flatpak but ideally more portable and supported everywhere without developers having to go through hoops on every platform registering accounts, getting approval, sharing banking details, uploading to multiple app stores, and so on. While this it the future the tech giants want us to embrace, a unified decentralized model would be better for many users and developers. Alas, the tech giants control the dominant platforms, they would need to be on board. The success or failure of decentralization is largely up to them and their financial interest is for decentralization to fail.
The solution you’re describing is largely status quo for Windows. Many developers already provide direct download links to their installers and/or portable versions. Dependencies are often bundled together, or readily available. Software automatically checking for updates is common practice. The claim that Windows “doesn’t provide an easy way to update your installed applications” is disingenuous. People are free to use the app store or install/update themselves. It’s unreasonable to expect an OS to monitor and update the vast ocean of software. In fact, an OS isn’t a software librarian. As the article points out, this is 2023… We’ve had two full generations of pc users installing & updating apps. Guru level experience is no longer required.
friedchicken,
You’re right about all of that, but it’s not what I meant. I am for decentralized software, but I still think we need more standardized mechanisms. It’s non-ideal that we’ve ended up with so much software reinventing the wheel and running in the background. Microsoft have long set a bad example here and IMHO software is worse off for it. Operating systems need to natively support universal decentralized app installer/updater capable of offering these features consistently.
I disagree on the basis that what windows has traditionally offered little help to owners for tracking/managing updates, just as this article highlights.
Well, this right here is the problem! Whatever you think about the OS doing these tasks, the users are almost certainly going to do a worse job than the OS. The OS should monitor and update the vast ocean of software! The OS should be a software librarian! Consider that the OS would be so much better and more reliable than the users at these tasks. Average users are going to take a hands off approach to software updates. Operating systems have a responsibility to do better. While we could blame millions of individual developers for not bundling their own updaters. IMHO it makes far more sense for operating systems to standardize the process so we can all benefit from consistent robust update mechanisms.
Microsoft (and apple, etc) might not have the proper incentives to build decentralized app management tools into their operating system, but there are so many cool features they could offer everyone: users, admins, developers, etc. Unified software management, fast downloads & installs via bittorrent, timely updates. Everyone wins.
Operating systems should monitor and update themselves, yes, but be responsible for doing that for every piece of non-OS software in existence? No way, and that’s unrealistic anyway. The burden of non-OS software management/updates is shared by the developer and the users alone, not the OS. I agree users aren’t typically great at keeping software up-to-date. Often times the most recent version of something is more problematic than an earlier version so newest != best.
The only thing I think an OS has a responsibility to do better at is provide me with a stable & secure platform to interface hardware with. Resources should be spent on that, not on babysitting & policing anything outside that scope.
I’m not against a decentralized and standardized method of software distribution. I’m not against an OS providing this as an option made available to anyone wishing to use it. In fact, I agree doing so can offer significant benefits. I just don’t agree this is an obligation the OS is responsible for fulfilling. For that matter, the OS isn’t even required to participate. The entire framework and function can exist as a service outside of the OS itself.
I have about 10 different applications I’m actively using right now. The system is running smooth and rock solid. The last thing I need or want is Windows patrolling them all and interfering where it decides there’s a problem. Windows updates have gotten better but still has a problem breaking previously working systems. Again, I’m not against an OS providing a mechanism by which developers and users can more easily maintain their software, but I don’t support an OS placing itself in the middle as the judge, jury, and executioner.
friedchicken,
Why though? Millions of programs and developers could reuse the same mechanism, why force them all to reinvent it? This doesn’t improve user experience.
Sure, but so what? It’s just a tool, users can enable updates, just enable update notifications, disable it completely. As long as users are in control, what’s the big deal? I don’t see a reason to deprive users of a standardized update feature.
Sure, lets get rid of everything that’s not strictly needed. MSI, screw that, developer can make their own packages themselves. Common dialog boxes, screw that, every application should implement their own. “Add/remove” software, screw that, every application should provide their own uninstall shortcuts. ODBC, screw that, every developer should roll their own database interface! Task manager and service manager, screw that, all applications should manage their own services. Print manager, screw that, applications can supervise their own print jobs. Video & audio compression, screw that, developers can use their own. This can go on and on, but I hope you get the picture. Operating systems do a whole lot to provide shared functionality, improve user experience, improve consistency. This kind of unity is a good thing and software updates fits right into what a good operating system should support.
You aren’t wrong, every application could write their own implementation, but the result is inevitably worse for users tasked with babysitting applications that all do the same things differently. We know this is a task most users will invariably fail at. Standardizing updates would make software administration a hell of a lot easier.
Next time start with this comment, haha. I agree that good tools exist to serve us whereas bad tools can abuse us. I’m always defending owner rights and control, software updates are no exception. Standardizing around distributed technology isn’t the problem, depriving owners of control is.
@Alfman
I’m not arguing against a clean standardized means of maintaining/updating non-OS software, I’m saying the OS is not a mandatory component for such framework. That doesn’t imply that each and every developer has to create their own way of software distribution, updating, and maintenance, though they’re free to do so if they choose. I neither suggested nor implied everyone reinvent their own wheel. That would be ludicrous. Further, I didn’t say in the slightest that an OS should be stripped down to the absolute bare metal and not provide any shared services.
My only basic requirements for an OS providing frameworks/services are 1) stability is prioritized, 2) installations/updates are not forced, always have opt-in or opt-out, and always reversible, and 3) the OS doesn’t interfere in any way that restricts users freedom to use their system how they see fit.
I don’t think we disagree on this, if any of it. I don’t support an OS being the deciding authority on all software. I don’t support an OS that has final say on what gets installed and when/if it gets updated. Users granting an OS babysitter/knows-whats-best privileges is fine so long as it’s their choice to do so and those privileges can be revoked at the users discretion. As I said, often times updates are not better, introduce instability and/or performance losses. I’ll never be in favor of shoving that down users throats and giving them the shrug emoji when it causes problems.
friedchicken,
Ideally, all software could be managed in a single unified interface. There’s no “this program does X, this other program is managed by Y, these other programs need to be managed through Z, and so on….” I just don’t see any other possible way to achieve this comprehensive level of unity without some standard APIs in the OS. The technical merit is there, the need is there. Granted it needs to be user friendly, open and decentralized, but assuming it ticks all of the boxes, then I’m all for it.
The thing is, this is exactly what’s been happening without a standard OS API. Applications are rolling their own self-update solutions. Some update on launch, others load their own update system daemons in the background, some need to be updated manually. It’s just a chaotic mess of everyone reinventing the wheel and I think the user experience is worse for it.
You are right, we’re in full agreement on those points. There’s no reason a standardized update feature can’t do that. Am I right to think your main concern isn’t technological, but rather one of trust? The fear being that dominant companies like google/microsoft/apple corrupt everything they touch for their own selfish interests? If so, I sympathize with that opinion.
Selfish corporations are often the reason we get proprietary restricted solutions over open ones. I concede my desire for a standard solution assumes we were getting an open/decentralized standard in the first place. But if it’s a bait and switch solution that uses proprietary/restricted/tethered to corporate data silos/DRM/etc, then I too would immediately protest that.
@Alfman
Exactly that, yes. These big companies have proven themselves to be willing to go to practically any lengths to squeeze more out of users. The blatant violations & abuse of trust are inexcusable and unfortunately go largely unpunished. I’ve nearly foreclosed on the idea that a better future awaits us. Sadly, we’re not driven by what could be if it would restore peoples rights & privacy.
For those playing at home:
`winget upgrade –all`
Unfortunately this is not an option for those of us who choose to run the LTSC version of Windows, as the Windows Store is not available (a perk of and reason for running LTSC), and winget requires the Windows Store to be installed and registered with Windows Package Manager.
More information for those curious about it:
https://learn.microsoft.com/en-us/windows/package-manager/winget/
Assuming we want to update our apps…
Newer isn’t always (or even in most cases) better.
I was recently forced by a client to upgrade to my Office 2016 setup to 2021…
And the upgrade broke the spellcheck function in SDL Trados 2021.
Now either I have to shell out 800EUR for Trados 2022, which I won’t, or alt-tab like crazy every time I launch Trados, so that I can find that little warning window and click on the “disable macros” button before it is too late to preserve my spellcheck settings.
My old phone, a Sony X Compact, was an amazing thing. It was small, and its battery lasted for more than I could hope for. However, after a year I bought it, it began to stall every now and then, on both apps and browsers. What was the issue? What could be the issue? I factory resetted the thing, and it was again that amazing little thing for a day. Then, it began to stall again. Craptastic… Another factory reset, and this time turning off the auto-updates on the play store… Now, the phone stayed awesome for good. After a while, I tried installing updates of apps one by one, and the issue was with… Android System Webview. One of its updates made my lovely phone stall. Did I want that update? No. Did I browse 4chan pages on that phone, so that I’d perhaps do better with the latest browsing engine? No. Did I want a fast phone or one that was meaninglessly updated? A fast phone indeed.
My old work horse laptop was pleading for retirement. It was so old… From the times we were able to upgrade even the CPUs of laptops. But alas, I was forced to buy a win11 one, as the spare parts supply for the oldie but goldie finally dried up. Now, whenever I need to sync my work directory containing GB-scale translation memories and thousands of smaller documents, the antivirus I’m forced to use adds a delay of 5-10 minutes, just because. And I can’t permanently disable or uninstall that antivirus, just because. To add insult to injury, my taskbar is being raped with virtually every update of the OS. How I miss the stability of that win7 laptop, which didn’t have the latest version, but the latest problem-free version of OS.
I don’t want to use the latest version. I want to use the latest version I know to be problem free. And it usually is a few years old.
Please, don’t beg for trouble imposed from some corporate headquarters. It’s obvious that we’re already on that route, and there’s no need to accelerate that trend.
You’re talking about a different subject. You are talking about switching one piece of software for a different one. This topic is about bug fixes.
“How is it that, in 2023, the world’s most popular desktop operating system doesn’t provide an easy way to update your installed applications?”
It does: “winget upgrade –all”, as acknowledged at the end of that same article. But of course we don’t want to pay too much attention to THAT, right? It would rob us of the fun of bashing Windows.
I think we can simultaneously acknowledge two things:
1) Winget is really good. I mean, actually a contender for the best command-line package management system on Windows or any other platform.
2) Winget is (a) very new and (b) not the method of software installation that most Windows users elect to. You can find information about Winget if you already know what you’re looking for, but Windows does not e.g. guide any user who means to install software to Winget in the same way that e.g. Debian drives users to apt-get, Fedora drives them to Flatpak, or Apple drives them to the App Store.
Which leads me to:
3) It’s kinda cornshit to say “winget exists, and security issues are therefore the fault of users who, in their ignorance, elect to another method of software installation.” For nearly 30 years, the “right” way to get Windows software has been to install it directly from the vendor’s website — this in contrast to Apple (which has had the app store for more than a decade) or the Debians, BSDs, etc. that have had some version of an official online software repository since the ’90s.
Dropping to the command line and running an undocumented command does not actually qualify as “an easy way to update your installed applications”.
Also, WinGet is barely documented.
I think this stance is disingenuous. If you get your apps from the Windows store, the autoupdate. Microsoft cannot be responsible for apps that have been sideloaded by the user.
BluenoseJake,
Disingenuous? I guess you don’t want to blame them for not having a feature, however…had Microsoft added vendor neutral update tools & standards to windows decades ago all these troubles could be behind us today and standardized update mechanisms would be taken for granted.
That article is just clickbait. Yes there are issues with Windows updates, as well as Ubuntu updates and Chromebook updates. I’m familiar with all of them, I own several computers. But that’s another issue.
This is a WinRAR issue, not an OS issue. He even admits this later in the article “Here’s the problem: WinRAR doesn’t automatically update itself”.
If you install 3rd party software then you are responsible for it. My daughter discovered this when she was in middle school and downloaded so much ‘free’ software that the viruses were fighting each other. I showed her how to reinstall Windows and gave the ‘Safe I/O talk’.
darkoverlordofdata,
Yes, it is winrar, but we have to multiply it by thousands of applications that similarly aren’t kept up to date either because users are expected to check for updates manually.
https://www.reddit.com/r/7zip/comments/pjo7on/auto_updating_7zip/
Why should users do this manually? Arguably this should be an OS issue. This is exactly the sort of tedious job that users would reasonably expect be offloaded to the OS. There is no reason for having thousands of developers solving the update problem over and over. We only need one system-wide consistent robust distributed update process that works. Leaving every application to solve the exact same problems and loading more background update processes is something we should be getting away from in mature operating systems.
To be fair, this transition is starting to happen, but there’s still an awful lot of software that’s being managed manually. There’s room to do better.
That’s not as good an argument as you think it is. Yes 3rd parties need to be responsible for their software, but that doesn’t mean operating systems should neglect the tools and functionality that both users and developers need for a consistent experience. MS could have prohibited 3rd parties from using MSI saying “3rd parties need to be responsible for packing their own software”. Logically that has just as much merit as when we’re talking about updaters, but it completely ignores the fact that the OS exists to solve low level problems like this and streamline the user experience. Platforms need vendor neutral standards and tools if there’s to be any hope of solving these problems in a way that can eventually scales up to all applications.
On macos you do at least have the option of using homebrew and casks to install everything, but that’s technically third party. Linux distros and flatpacks have honestly solved the problem. The baffling part is that people still use Windows…
I’m still amazed that Microsoft never encouraged developers to use the Windows Update utility as a way of providing software updates, rather than forcing every developer to create their own. There is an API for adding custom sources, but I don’t know of any software that has ever really used it in any way.