By Larry Seltzer

There's a lot of confusion out there about when attacks against computers occur as a result of vulnerabilities in software as opposed to some other weakness, usually social engineering. Considerable progress has been made in protection against vulnerabilities on Windows, and we can make exploitation even harder if Microsoft can be talked into my scheme: open up Windows Update to third-party applications.

My own opinion is that social engineering is far more important than vulnerabilities and has been increasing in importance. One reason for this is that vulnerabilities are a harder target than they used to be, and that's in large part because of the work Microsoft has done over the last 6 or 7 years.

Microsoft still reports vulnerabilities in Windows and some of them are serious, but as far as I know, there haven't been any widely exploited vulnerabilities in Windows Vista or Windows 7. This is partly because those versions have fewer and less severe vulnerabilities than the steaming pile of crap we call Windows XP, but also because Windows Update works better and is more aggressive by default on it.

As Secunia's 2010 end of year report makes clear, all the growth in vulnerabilities, including that of severity, is in third-party software. Have you ever tried to update all the third-party software on your system? It's hard, time-consuming and sometimes you don't know where to start or stop. Plus there's the whole "is this a legit update?" question.

There is a way to make this better, and Microsoft can make it happen. The answer is to open "Windows Update