Programs have bugs and security holes that occur every now and then and are patched with a different frequency. Every operating systems needs to be updated regularly to keep you secure, uninfected, and not vulnerable to whose risks. Also any additional software (browsers, office suites, messaging apps, etc) that you have installed in your OS needs to be updated on a regular basis, for exactly the same reasons. We’re going to take a look at the way Windows handles such updates and compare it with the approach adopted by GNU/Linux.

Everyone is familiar with the Windows Update feature (well, lucky you if you are hearing the term for the first time in your life). It’s hard not to notice the annoying pop-up which shows up every now and then, usually while I am trying get some work done. Apart from that, it works really great — all the latest security updates are downloaded automatically for me by my great Windows OS. A few clicks, a reboot (oh where is the document I forgot to save?) and I am again secure and up-to-date, at least until the next update. Well… am I, really?

I have to disappoint you. What I’ve just downloaded are only some security patches for the kernel of the Windows OS, plus updates of a few core Windows components. If you don’t use Internet Explorer, Outlook Express or Windows Media Player (and probably you don’t since I hope you’re an aware Windows user, the actual target of this article) all this hassle does not concern you a lot, actually. In such case, Windows Update gives you only a feeling of security. If you want to have a really secure OS, you need to manually upgrade all the applications you frequently use, including a firewall, a web browser, all instant messengers, P2P programs and all other apps accessing the Internet. But when is the right time to do the update? Continually! If you really want to stay secure in Windows, you should read the security-watch websites like Secunia daily and follow the instructions given by them. When a security hole is found in some software you use, you need to apply the given patch or upgrade to the latest version of the application (if such is already published). You probably wonder — how one can find time to do all these things? Well, almost nobody does, really. Most of the computers around the world run unpatched and insecure software, sometimes because of lack of knowledge, sometimes due to lack of time…

OK, but how come this problem hasn’t been solved yet? Wouldn’t it be far easier if the operating system manufacturer (Microsoft in this case) provided us with a tool for automatic upgrade of all programs installed on our computer, not just the Microsoft ones? Unfortunately, such things only exist in the world of GNU/Linux.

Pic.1 System upgrade in Ubuntu Linux. All packages with security
issues or bugs found are updated.

Why is that the case? Does Microsoft want you to run unpatched programs and stay permanently insecure? Probably not. However, the problem is more complex.

The majority of software you install in GNU/Linux is provided in packages built by the creators of your operating system. Upgrade of these packages is as easy and automatic as their installation or removal. A package manager like APT or yum takes care of those tasks without problems. It can check whether there are any new patches for any of the installed applications, and if so, download them from a public repository and apply changes to your system. All done automatically, almost without your interaction!
This scenario is a bit different in every major distro, but the idea is the same. In Ubuntu, for instance, a nice and not disturbing alert is shown in the system notification area (system tray) when the patches are ready to install. It’s enough to accept the changes with a mouse click (giving the user password before, for security reasons) and they are installed in your system within minutes.

There have been many attempts to provide a similar framework for Windows. Google, for example, has its own package called Google Pack. It’s a collection of free (as in beer, not as in freedom) software made by Google and a few affiliated vendors. The updates are performed by the Google Updater, but of course they concern only those few supported apps. There are lots of programs which have their own upgrade mechanisms. Firefox has one, most firewalls and anti-virus software do. However, it’s almost impossible to ensure that all software installed on your Windows computer is secure and up-to-date (meaning: there are no known security holes that affect it) without doing the manual work mentioned before.

It is so hard to implement such an updater in Windows due to the fact that most software that Windows users run are not free (neither as in beer nor as in freedom). They are usually freeware, shareware, adware or totally commercial apps produced by independent vendors who do not allow others to take a look at their code and provide custom packages. To be precise, this problem exists in GNU/Linux as well, to a minimal extent. But there, you only need to manually take care of those apps which have been installed without using the package manager (i.e. proprietary software like Picasa or Crossover Office) and free software compiled from sources — the latter is rarely needed anymore due to large repositories maintained by common distros’ providers). In such case, a package manager cannot upgrade the software for you, since it doesn’t know anything about the apps installed in a non-standard way and the only one who can take care of the security of those apps is you or the program itself.

Most of the programs shipped with GNU/Linux distributions are free as in freedom and as in beer which except all other things mean that you get instant access to any security patches automatically, when using a smart software manager. And in Windows… you still need to use hammers and anvils.