To see how much work needs to be done in the world of computer security, take a look at the screen of anybody using the Mozilla Firefox Web browser. Inspect the top right corner of that program's window: If you see a small red arrow pointing upwards, you've found yet another person who isn't keeping up with this browser's bug-fix updates -- and yet another example of how even well-meaning users can still leave their computers less secure than necessary.
Although it has finally gotten easy and convenient to keep your operating system, whether it's Windows XP or Mac OS X, current with needed fixes, doing the same thing for individual applications still takes far more work.
Unfortunately, virus writers and other online vandals can find these separate programs just as tempting a target for attack as XP or OS X: They can exploit a flaw in such Internet-connected programs as a Web browser, a mail program or a music jukebox to sneak their own malicious software onto a computer. So you can't neglect security fixes for those programs, any more than you can skip feeding your pets or watering the lawn.
But most of these programs don't make it easy enough to do the right thing. Consider how Firefox and the Windows versions of Apple's iTunes and RealNetworks' RealPlayer -- all widely used, all the subject of recent security updates -- attempt to help users keep current with bug fixes.
Firefox actually ranks as the most helpful program of this bunch. It comes set to look for updates automatically, without any user intervention. When it finds one, it politely notifies the user to download it. That notification normally takes the form of that red arrow in its toolbar, although sometimes Firefox will pop a little flag in the bottom right corner. Neither form of announcement exactly grabs you by the lapels, much less forces you to take any action.
Should you click on either notification, Firefox will start downloading the new version -- which means getting a fresh copy of the entire browser, not just a patch to update your existing copy. This also means you must go through the same installation process as a newcomer to the browser; if you elected for a custom installation the first time around (for example, declining Firefox's offer to put a shortcut to itself on your desktop), you'll have to go through the same routine this time.
As a result, it's tempting to ignore these update notices. (My own copy of Firefox was two versions out of date when I started this column.)
The next version of Firefox, due late summer or early fall, should introduce a new update system that will notify users more prominently and require downloading only a patch file instead of a fresh copy of the browser.
Apple's iTunes makes it easier to know when a new version is available, but provides little help otherwise to Windows users. (In Mac OS X, iTunes updates are handled by OS X's built-in update system.) Its notification -- an alert that pops up in front of the iTunes window -- can't be missed. But when you click its button to download the latest version, you're instead taken to a file-download page on Apple's site, where you must click two checkboxes to opt out of receiving marketing e-mail before clicking a big "Free Download" button.
No patch-file update is available, so anybody using a dial-up modem will wait a long time for the 21-megabyte iTunes installer to finish downloading. Once that's completed, you need to locate the iTunes installer on your hard drive and run that -- and as with Firefox, if you customized your installation before, you'll have to repeat that procedure.
Then there's RealPlayer. By sticking an otherwise well-designed auto-update mechanism in a separate program that normally delivers only pop-up advertising messages, RealNetworks leaves users thinking that they must choose between keeping this program current and allowing the company to drizzle marketing propaganda on their desktop.
You don't actually have to choose; you can set Real's "Message Center" to bug you only about updates for RealPlayer. But disciplining Message Center requires drilling down into RealPlayer's Preferences window, clicking a button to launch Message Center, then opening that application's "Customize" window. It also requires leaving this extra program around to suck up memory and clutter the system tray, that strip of inscrutable icons at the bottom-right corner of the screen.
It's just as easy to deactivate Message Center entirely -- and since RealPlayer's Preferences window will still report that it's set to "automatically download and install important updates," you'll think you're safe.
As awkward and as clumsy as those three programs can be, they all do far more than programs that rely on a user remembering to select a "Check For Updates" menu item -- or, worse yet, revisiting the developer's Web site to see if a new version has been released.
Two other factors can make it even less likely that a needed update will get installed. One, installing any program takes too much work in Windows, between running an installer, selecting any options, waiting for the installer to finish and then cleaning up whatever junk has now been strewn across your desktop, Start Menu or taskbar. (In Mac OS X, most programs can be installed simply by dragging a single file to the Applications folder.)
Two, in many offices, computers are locked down to prevent most software installations. That won't prevent folks from persuading a friend in the systems department to let them put one or two other programs on their desktop. But how many of these people will want to ask their techie pal to unlock their computer every time a minor update comes out for one of these applications?
What's needed is something more akin to how Windows XP and Mac OS X keep themselves current -- at least for programs that routinely send and receive online data, and which therefore are most exposed to attacks. Both operating systems will automatically look for and download bug-fix patches that need no more than a couple of clicks to install -- since last year's Service Pack 2 update, XP can even load updates automatically.
That sounds intrusive and bossy. But unless developers can write perfect software, or virus writers can be driven from the Internet, what other choice is there?
Living with technology, or trying to? E-mail Rob Pegoraro at email@example.com.