We have a very real problem with the internet, its full of devices that are not kept up to date with security patches. Either they haven’t got the latest patches installed or have never been patched since the day they first booted. Many are running an operating system that is now so old it is out of support and doesn’t even get security patches anymore!
Windows XP is a good example – it was released in 2001, ended mainstream support in 2009 and when it finally exited “extended support” in 2014 (meaning no more security patches would be provided for it) statistics showed it still held around 30% of the desktop PC market. Even now in 2018, 17 years after release and 4 years after security patches stopped (outside expensive enterprise contracts) it still commands approx. 5% market share (www.netmarketshare.com) despite having no business being connected to today’s internet.
Why is this such a problem? Because there is a seemingly endless number of people, organisations and even some countries who spend their days trying to take control of devices like this to serve their nefarious purposes – often compromising other internet users or attacking the services of companies they want to target.
What could be easier to recruit than the unpatched machine of a non-technical user who doesn’t know any better and doesn’t understand what is happening or how to fix it. Even more concerning is that it’s not just home users – over the years I have repeatedly dealt with businesses who seemingly only upgrade when they have no other choice, often because their critical businesses partners have disabled the legacy and insecure connection methods those outdated systems relied on. Security is not their concern and upgrades are often the last resort action only.
The obvious question is why don’t people update/upgrade? There are many reasons presented to us including application incompatibility with new versions, cost of new hardware/operating system – however, I believe that for the vast majority of unpatched devices out there it is because they either:
- Have the ability to upgrade, but because of human nature take the path of least effort – which is do nothing.
- Have no idea how to upgrade, the operating system came with the machine and they don’t have the technical knowledge to change it.
- Fear of change and what they already have “works for them”.
There is an excellent clip from the “IT Crowd” that shows this and it is so true, the number of machines I have seen like this over the years is frightening: The IT Crowd – “The Laptop from the Exorcist”
There are two sides to this argument:
- Blame the User – Should there be accountability on the user for allowing their machine to get into a legacy and unpatched state running riot on the internet? Should people be made responsible for the safe maintenance of their computers in the same way they are responsible for the safe maintenance of their cars on the road? Should you be made to have pass an “Internet Driving Test” and your device an “MOT” before you are allowed to connect so we don’t end up with a tiny percentage of the internet driving everyone else off the road?
- Blame the Vendor – On the other side, isn’t it Microsoft’s fault? Mobile platform vendors don’t have this problem (to anywhere near the same extent) and even the most non-technical user can install the latest iOS upgrade on their iPhone. Its one of the reasons the iPhone is so popular, it requires near zero technical knowledge to operate its basic functions. Why do people require such a deep technical knowledge to keep Windows safe and secure?
While I do think there needs to be some user accountability, I think its fair to say the ultimate problem has resided squarely in Microsoft’s corner. It is largely a symptom of an era, Windows is not a lean newly developed mobile platform, it is built off literally decades of old code some of which was created before the internet or the idea of structured update platforms were considerations. The mobile platforms of today have been built from scratch with these things in mind learning the lessons of those that came before them.
When Satya Nadella took over as CEO of Microsoft in 2014 he handed the then boss of Windows division (Terry Myerson) a seemingly impossible task – turn the Windows behemoth into a service that can be easily updated to help solve the problems of unpatched machines and users who don’t upgrade to new versions of Windows. The justification; users on popular mobile platforms such as iOS get updated with the latest security patches automatically, quickly and reliably, so Windows users should too.
Despite all odds, Myerson appears to have succeeded in this, updates are rolled up into a single ongoing cumulative update and for the majority of devices (Enterprises and Education have some special rights) these updates are mandatory and are installed automatically. Even more impressive is the notoriously untrustworthy, problematic and hugely time consuming Windows Upgrade process of old that people avoided or didn’t understand how to use has been replaced by a rock solid automated upgrade process that now just installs automatically and is pushed out just like a standard patch as far as the user is concerned.
While it has taken years to get to this point, looking at the previous semi-annual release of Windows 10 (named “1709”, or the “Fall Creators Update”) that came out in September 2017 we can see how much progress has been made. According to AdDuplex’s March 2018 report (http://reports.adduplex.com/reports/2018-03/), despite being released only 6months ago it is now installed on over 90% of the entire Windows 10 install base – that is an incredible turnaround and makes it *easily* the fastest spreading windows upgrade of all time. The reason for this? Its pretty simple really, users didn’t have to do anything to make it happen and because it was largely forced upon them…
Just taking a minute to consider this statistic against the mobile platform Windows was trying to imitate, Apple released iOS 11 also in September 2017 and most recent stats (https://developer.apple.com/support/app-store/) show iOS 11 installation base at 65%:
Now this was in Jan18 so clearly adoption will be much higher now, but given their yearly release cycle and the fact that just before iOS 11 was released the previous offering iOS 10 sat at 89% (http://www.idownloadblog.com/2017/09/10/ios-10-adoption-reaches-89-ahead-of-ios-11-launch/).
Regardless of exact percentages, the thing that this clearly shows is that Windows has finally solved its update and upgrade problems, meaning moving forwards their userbase should always be on the latest version of windows, patched and able to use the latest security defences.
Now they just need to get users and businesses off legacy versions and onto Windows 10 to take advantage of it! Once this happens the internet will be a safer place.
Update (7th June 2018)
This article was written in April 2018 and since writing Microsoft have released the Windows 10 April 2018 update (1803). The first update statistics for its deployment have been released by AdDuplex and confirm that with this release, Microsoft have fully realised their vision of “Windows as a Service” – in the first 30 days alone it has reached a staggering 50% of all Windows 10 devices (http://reports.adduplex.com/reports/2018-05/) which is almost twice as fast as the previous release. Regardless of whether this is almost “too fast” for any serious bugs to be addressed before hitting wider population, the fact it is possible given the problems encountered around user interaction in the past is impressive.
What is also impressive is that additional stats have been released from Apple on iOS devices for 31st May 2018 and in the 8 months from release iOS11 has managed to be installed on 81% of devices (https://developer.apple.com/support/app-store/) – so the fact Windows 10 1709 reached 90% of devices in just 6 months means Windows is technically able to deploy itself faster than the mobile platforms it set out to imitate. Impressive.