Microsoft on Tuesday slammed the door on updating third-party software via Windows Update in the upcoming Windows 8.
One security expert said the company was missing a big opportunity to improve the overall security of Windows PCs.
The new operating system will not update non-Microsoft software, said Farzana Rahman, the group program manager for Windows Update, in a
blog post .
"The wide variety of delivery mechanisms, installation tools, and overall approaches to updates across the full breadth of applications makes it impossible to push all updates through [the Windows Update] mechanism," said Rahman said. "As frustrating as this might be, it is also an important part of the ecosystem that we cannot just revisit for the installed base of software."
Rahman's statement was the clearest ever by
Microsoft that it would not take other applications under its update wing.
Currently, the company offers customers updates to Windows drivers -- third-party files required to run the OS -- via Windows Update, and occasionally disables third-party ActiveX controls in Internet Explorer (IE) at vendors' requests. And that's how it's going to stay, Rahman said.
She did add that Microsoft feels its customers' pain.
"People clearly find the experience with multiple updaters on the system less than optimal, and we agree," Rahman said. "Each application updater gives you a different experience, you have to remember to go visit each updater to install updates, you never know when or how updaters will run and what they might do, and so on. People would like one updater for the entire system."
Yes, they would, said Wolfgang Kandek, chief technology officer for Qualys, and an advocate for Microsoft's updating other companies' Windows software.
"I understand the thinking," said Kandek of Microsoft's reasons for not pushing third-party updates, "but at the same time, it's a little disappointing. Microsoft could collect a huge amount of goodwill by doing this, and it would be a huge leap for security ."
Kandek argued that although even Microsoft doesn't have the resources to validate every application's update, it could certainly focus on the most important vendors whose products need to be constantly updated. His examples: Adobe's Reader and Flash Player.
"I would argue that there are certain organizations, and Adobe is one of them, where [Microsoft taking on updating duties] would be possible," Kandek continued. "There are only a couple of [vendors] that they would need to address, and they're mature companies with well-tested updates."
Both Flash Player and Adobe Reader have been patched multiple times this year: Adobe has issued nine security updates for the Flash Player and five for the Reader so far in 2011.
Others, including Danish vulnerability tracker Secunia and some readers of Rahman's blog, have called for a unified update mechanism for all Windows software.
Read more
