Why Microsoft has to open Windows Update to third-party developers
There's a lot of confusion out there about when attacks against computers occur as a result of vulnerabilities in software as opposed to some other weakness, usually social engineering. Considerable progress has been made in protection against vulnerabilities on Windows, and we can make exploitation even harder if Microsoft can be talked into my scheme: open up Windows Update to third-party applications.
My own opinion is that social engineering is far more important than vulnerabilities and has been increasing in importance. One reason for this is that vulnerabilities are a harder target than they used to be, and that's in large part because of the work Microsoft has done over the last 6 or 7 years.
Microsoft still reports vulnerabilities in Windows and some of them are serious, but as far as I know, there haven't been any widely exploited vulnerabilities in Windows Vista or Windows 7. This is partly because those versions have fewer and less severe vulnerabilities than the steaming pile of crap we call Windows XP, but also because Windows Update works better and is more aggressive by default.
As Secunia's 2010 end of year report makes clear, all the growth in vulnerabilities, including that of severity, is in third-party software. Have you ever tried to update all the third-party software on your system? It's hard, time-consuming and sometimes you don't know where to start or stop. Plus there's the whole "is this a legit update?" question.
There is a way to make this better, and Microsoft can make it happen. The answer is to open "Windows Update as a Service (WUaaS)." Third-party software companies should be able to offer their updates through Windows Update. That way users will have one place to go -- a place they're probably going anyway -- to manage all their updates.
I've made this suggestion before, and Microsoft's reaction was that it didn't want to be responsible for delivering someone else's code to a user's computer. I can sympathize, but it doesn't have to be that way. Here's how it should work: Windows Update knows how to look for updates to Microsoft products. Applications installing on Windows should have an option -- hell, make it mandatory -- to provide addresses and interfaces to the Windows Update subsystem for that product and its updates. If installed, Windows Update users will see tabs or dialog boxes or whatever to vide and install updates for that product just as they do for Microsoft products. Microsoft won't be delivering the updates, the app vendor will.
The app vendor will have to package its updates in a way that meets Windows Update specifications. This will include things like code signing with a certificate acceptable to Windows Update and using TLS. It is possible, but may not be necessary, to require that the vendor also sign the updates with a certificate provided by Microsoft; this would let Microsoft control who is allowed to provide updates through this system.
Consider that Apple is doing something vaguely like this with the Mac App Store. One of the advantages to users is that updates are provided through the store, so users have just one place to look. This is one of the advantages of Apple's approach which helps users to implement more secure systems, but it's only a step. Major gaps still exist for Macs.
Secunia has a series of tools that sort-of do what I'm calling for. Running an agent on your computer and utilizing their vast databases of products, vulnerabilities and updates, their Software Inspector products tell you what's installed, how out of date they are, what you're vulnerable to and give you links to where you can go to update. They have the advantage of working with any product they choose to support, but it's not like having it built into Windows.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contibuting Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.