WINDOWS SECURITY: AN OXYMORON?….Rob Pegoraro has a pretty good column in the Washington Post today about the security holes built into Windows that makes it so vulnerable to worms and viruses. Virus writers don’t target Windows just because it has the biggest installed base, he says, but also because Windows is inherently more vulnerable.

I think he underestimates the network effects inherent in Windows’ huge installed base, but he still makes some good points about Microsoft’s poor design decisions. At the same time, he also chides users for not keeping their systems up to date:

Part of this is users’ fault. “Critical updates” are called that for a reason, and it’s foolish to ignore them. (The same goes for not installing and updating anti-virus software.)

The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit. And for those saying they don’t trust Microsoft to fix their systems, I have one question: If you don’t trust this company, why did you give it your money?

Microsoft, however, must share blame, too. Windows XP’s pop-up invitations to use Windows Update must compete for attention with all of XP’s other, less important nags — get a Passport account, take a tour of XP, hide unused desktop icons, blah, blah, blah.

In this case, I think he’s actually letting Microsoft off the hook too easily. Here’s my story:

A couple of weeks ago I heard about the Blaster worm and decided to get the patch. No dice: I couldn’t install the patch unless I first installed Service Pack 1. That didn’t look too bad, though, so I went ahead and clicked “Install.”

Looks can be deceiving. The 3 MB file turned out to be only the loader for another file that weighed in at 30MB. On a dial-up connection, which is what most people have, that would have taken an hour and a half to download.

But hey, I’m one of the fortunate few, so while it was annoying that it was much bigger than I expected, it only took about 10 minutes to download.

Then 10 minutes to do a system check.

Then 10 minutes to install.

Then 10 minutes to clean up.

Then 10 minutes to shut down and reboot a couple of times.

And when it was finally all done, and I had spent an hour on something that I thought would take five minutes, my connection to the internet was hosed and I couldn’t go back to the Microsoft site to get the patch I wanted in the first place. By the next morning, when I finally got my internet connection back up, I wanted nothing more to do with this, especially since SP1 mysteriously screwed something up that makes it more difficult than before to switch email accounts in Outlook.

(Actually, what it really did was change a default setting that made it impossible to switch accounts. Microsoft doesn’t seem to understand that 90% of its users have no clue how to fix something like this.)

Anyway, after reading up on Blaster I discovered that you’re safe as long as you’re running a firewall, which I am. It turns out I didn’t need the patch in the first place.

So yes: considering the amount of crap that Windows pesters us with every day, yet another “critical” update just isn’t likely to sink in. And even if it does, I try to avoid Microsoft patches anyway. Pegoraro might think that “The chance of a patch wrecking Windows is dwarfed by the odds that an unpatched PC will get hit,” but my experience is considerably different. These days, unless I have a problem so serious that I just absolutely have to install a patch, my motto is to leave well enough alone and pray that things continue working.

There’s not much that Microsoft can do to prevent people from opening email attachments, but there’s a lot they could do to make Windows PCs more secure, easier to update, and less tolerant of aberrant behavior. The bottom line, though, is that they just don’t seem willing to do it.

POSTSCRIPT: Feel free to do all the Microsoft bashing you want in comments, but please don’t turn it into yet another tiresome Windows vs. Mac thread. Most of us Windows users actually have excellent reasons for our choice of operating system, and hearing about the alleged superiority of Macs for the thousandth time won’t change that. So please please please: just don’t do it. OK?

POSTSCRIPT 2: That goes for Windows vs. Linux too.