What’s the best way to keep Windows programs up to date?
In 1999, David Lee Smith – who was later jailed – named his PC virus after a stripper called Melissa, and it swept the world, forcing some large companies to shut down their email gateways. That and some later malware successes forced Microsoft to spend two years rewriting Windows XP, and Windows XP Service Pack 2 was finally completed in 2004.
After that, Bill Gates shut down the whole Windows division to train around 8,500 programmers in what he called, in a once-famous memo, Trustworthy Computing. This $500 million project introduced a new Security Development Lifecycle (SDL) that concentrated on things like threat modelling, code reviews and penetration testing. This greatly improved Windows’ security over the next decade. Microsoft also made “SDL’s tools, processes and guidance available free of charge to any organisation that wanted to adapt it to their own business”. It got more than 1m downloads by 2008, so many others benefited, too.
As Windows became harder to exploit, attackers shifted their attention to weaker programs that were commonly found on Windows PCs. These included Sun’s (now Oracle’s) Java JRE, Macromedia’s (now Adobe’s) Reader and Flash Player, and Apple’s iTunes and QuickTime.
This created a problem. You could keep Windows up to date by installing the security patches that Microsoft released on the second Tuesday of each month, but how could you keep non-Microsoft software up to date?
If you used software from 50 different sources, did you really want to run 50 background processes to check for updates? If not, did you want to visit 50 websites to check for new versions?
Secunia’s Personal Software Inspector (PSI) and similar programs solved that problem. They scanned the software on your PC, checked it against a database of the latest versions, and either installed the updates or gave you a link to do it manually.
PSI was by far the best of the bunch, partly because it covered a wider range of software, and partly because it also checked major Microsoft software components as well. (Not all Microsoft updates install correctly.)
I’ve been using Secunia since 2007. However, the Danish company was taken over by Flexera in 2015, and Flexera has now decided to drop PSI. The program is telling users: “On April 20, 2018, Flexera will be ending support life for PSI. On that day, PSI will no longer be functioning and should be uninstalled.”
SUMo leads the way
KC Softwares is a French company that offers a lot of small utilities, while Patch My PC targets enterprises that use Microsoft’s System Center Configuration Manager. (Until 2017, the founder, Justin Chalfant, worked with SCCM at Microsoft.)
SUMo was one of the best at finding programs where later versions are available. It found programs that were bundled with my Dell PC, such as Dell Digital Delivery, and the odd utility I didn’t know I had, such as GraphStudioNext. (It’s bundled with the K-Lite Codec Pack.) It found 36 programs in all, which is a long way short of PSI, which found 96, including Windows, Office and tiddlers such as LeakTest and SpaceMonger.
SUMo takes “latest version” literally. For example, it told me that WinAmp had been updated from version 220.127.116.1107 to version 18.104.22.16816 and Everything from 22.214.171.1247 to 126.96.36.1995. Do I care? Not a lot. To be fair, it did class these as “minor updates”, but it’s not worth showing them unless a security fix is involved.
The major drawback becomes apparent when you select a program and click Get Update. This takes you to KC Softwares’ website, which tries to sell you SUMo Pro. If you don’t want to pay, you can follow a link to download the new version from the supplier’s website.
The price is reasonable. KC Softwares charges €14.99/£14.41 for one year of SUMo Pro for four PCs (same user) or €29.99/£28.82 for lifetime use.
Patch My PC does the job
The main alternative is Patch My PC, which reminds me of Ninite. In other words, it supports a limited number of programs – 302 at the current count – that it can install and update automatically. The result is a faster and nicer experience. (Ninite only supports 84 programs, or 120 in Ninite Pro, which includes multiple versions of some programs.)
Patch My PC only found 15 programs out of the 100 or so on my PC. This included four of my six browsers (Chrome, Firefox, Opera and Vivaldi), Microsoft’s .NET Framework, OneDrive and, amusingly enough, SUMo. It didn’t include, for example, FreeFileSync or Nvidia’s GeForce Experience.
Patch My PC suggested I needed to update CrystalDiskInfo from version 7.5.1 to 7.5.2, and one click did it silently and effectively. There is an option to make “silent installs” visible, if you like to see what’s going on.
Patch My PC also includes a Scheduler and an Uninstaller. The Scheduler lets you set a time to scan your PC, with nine options from daily to monthly. The Uninstaller looks quite useful. On my PC, it found dozens of things it could remove, including 30 different programs from Nvidia.
Patch My PC obviously has a more limited range than SUMo, and its usefulness will depend on the software you have installed. If you are running the Adobe utilities (Air, Flash, Reader) and Java JRE then it will be more useful to you than it is to me. (I never install them.) If you only have a handful of the 302 programs installed, then it’s probably not much use … though it might encourage you to try a few of them.
The real question is whether it leaves you at risk. If it doesn’t update most of your software then technically, perhaps, it does. However, malware writers usually target the low-hanging fruit. They are only really interested in programs that are relatively easy to exploit and widely installed. As well as the usual suspects, that includes Windows and Microsoft Office, because a lot of people – and some major organisations – don’t install all the security updates. Programs that are not in Patch My PC’s top 300 seem unlikely to be targeted, though do let me know if you think of any exceptions. Either way, failing to update Audiograbber, DoubleKiller, Pixresizer, SpaceMonger etc doesn’t seem like much of a security risk to me.
I’m planning to run both SUMo and Patch My PC until April 20 to see how they fare against PSI. The ones I’m uninstalling include FileHippo App Manager, Glary’s Software Update, Kaspersky’s Free Software Updater and Heimdal Free, though you could still give them a try.
FileHippo’s App Manager, previously known as Update Checker, isn’t bad. It could update 40 programs on my PC, and it installed updates quickly and painlessly. However, it found beta programs, which is silly for a security program, and it doesn’t scan your whole PC, just “the default locations for applications”. You have to add other locations separately. If you don’t fancy my choices, it’s the best of the rest.
I was disappointed with Glary’s Software Update, which tried to include Malware Hunter with its download. Like Patch My PC, it installs and updates a range of programs, but it only supports 133. Also, you have to install updates manually unless you buy the Pro version.
Kaspersky’s Updater didn’t provide a list of the programs it scanned and it found nothing to update.
At this point, I’d rather pay for PSI …