About Me

I ramble about a number of things - but travel experiences, movies and music feature prominently. See my label cloud for a better idea. All comnments and opinions on this blog are my own, and do not in any way reflect the opinions/position of my employer (past/current/future).

30 March 2013

Software Fragmentation

Software version fragmentation refers to the disparate versions of software installed across the user/install base. Fragmentation occurs primarily because the end user does not update or patch their applicable software to the latest version. Fragmentation has been in the popular news lately - firstly with regards to mobile operating systems (where Apple's iOS is probably the least fragmented mass used software platform, and Android seems to be heading the opposite direction); and secondly on Java virtual machines (which is actually under reported, as most reports only cover the PC based JVMs, and not the other JVMs out there, such as mobile JVM or embedded JVM; not to mention the non SUN/Oracle JVMs).

Not being on the latest version is not necessarily a problem - the recent JVM vulnerability was most widely exploited on the latest versions. Likewise, there are now very few exploited vulnerabilities on deprecated Microsoft operating systems, such as Windows 2000 - and there are many of those out there. But for the majority of cases, not being on the latest version implies that there are potentially vulnerabilities that can be exploited in the software.

While operating system and JVM fragmentation is discussed quire frequently, fragmentation in common applications is, I think, a bigger problem. Consider Adobe Acrobat Reader - the latest version is 11.0.2, but how many users are actually on this version? How many are on version 9 or earlier? In an investigation I did for a client earlier this year, less than 0.5% of the install base for either Adobe Reader or Adobe Flash were on the latest versions - and over 50% of the install base was at least 2 versions behind. Not to mention, that some really old versions of the software existed across the user base.

The problem with keeping software up-to date is that it seems to be incredible difficult on a large scale. It is not that there are no auto-updates - but there are lingering problems with dependencies (updating the JVM requires all applications that run on the JVM to also work, or integration of applications like Adobe Reader and Flash in other applications); and some users just don't update. There are other mitigations, such as Host IPS, but there is not a lot of widespread usage of these technologies. 

It seems that the platforms that have managed to get the least fragmentation, are the tightly controlled and integrated platforms - that connect to the Internet, and offer updates easily. Is the Apple, X-Box, Playstation model the way of the future?

No comments: