Microsoft announces plans to silently update Internet Explorer
IE browser XSS flaw opens door to thieves and phishers
Microsoft is to offer silent updates to Internet Explorer in what it calls "an important step in helping to move the web forward".
According to a statement by Ryan Gavin, general manager of Internet Explorer business and marketing, customers in Australia and Brazil who have turned on automatic updating via Windows Update will be the first to get the updates.
“Similar to our release of IE9 earlier this year, we will take a measured approach, scaling up over time. As always, when upgrading from one version of Internet Explorer to the next through Windows Update, the user's home page, search provider, and default browser remains unchanged,” said Gavin.
“We want to make updating to the best protection possible as fast and simple as we can for Windows customers. Internet Explorer is how millions of Windows customers connect to the web, so keeping that part of Windows updated at all times is critical to keeping them safe online. With automatic updates enabled through Windows Update, customers can receive IE9 and future versions of Internet Explorer seamlessly without any ‘update fatigue' issues.”
Enterprises will be able to update their browsers on their schedule, and Gavin said the Internet Explorer 8 and 9 Automatic Update Blocker toolkits will prevent upgrades for Windows customers who do not want them.
“We firmly believe that IE9 is the most compelling browser for business customers, and we want them to make the decision to upgrade at their convenience,” he said.
“Similarly, customers who have declined previous installations of IE8 or IE9 through Windows Update will not be automatically updated. Customers have the ability to uninstall updates and continue to receive support for the version of IE that came with their copy of Windows.”
Consumers will also have the option to block the update and upgrade manually.
Microsoft said it built IE9 with a focus on modern web standards and interoperability so developers could spend less time coding for specific browsers and focus on building 'the next big thing on the web'. The beta launch of IE9 in September 2010 was noted for its similar features to Google Chrome, and follows Google's move to silently update Chrome.
Talking to SC Magazine, Paul Henry, security and forensic analyst at Lumension, said that rather than replicating Google, Microsoft is simply doing what is necessary to reduce risk.
Asked if this will be better for IT managers, Henry said: “Web browsers have become a primary threat vector and rarely require a reboot after a patch, making them a great candidate for automated patching to reduce the respective threat envelope. That being said, there is still the issue of third party add-ons to the browser that this will not address.
“The impact on users will be minimal; however, the impact on a large community of users could be large in terms of bandwidth. It is assumed flaw remediation vendors will quickly move to adding order to the process in order to handle distribution from a centralised server to reduce or at least control the impact.”
Wolfgang Kandek, CTO of Qualys, called this "good security news" as it will eliminate the pop-up window that currently allows users to opt-out or postpone the update.
He said: “Being on the newest possible Internet Explorer (IE8 on WIndows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.
“Overall this change is in line with the new update mechanisms coming in Windows 8, which will make the overall update experience much smoother for Windows users. As expected, Enterprise users that control their patches tightly will not be affected by the change; they will continue to have full control over the versions of their browsers.
Jason Miller, manager of research and development at VMware, said: “As Microsoft stated, the number one attack vector to exploit vulnerabilities is through browsers. Currently, Microsoft releases updates for their Internet Explorer browser bi-monthly but this is a long period between updates.
“However, very rarely, Microsoft will release a patch out-of-band if there is a zero-day exploit that is actively being exploited in the wild. In the last three years, Microsoft has gone out-of-band to release an update for Internet Explorer independent of Patch Tuesday three times.
“Releasing new versions of the browser more often will greatly increase the security of network computers and their browsers. One of the challenges administrators will face is knowing when these updates are released. Currently, administrators know an update for Internet Explorer will fall on the second Tuesday of every other month. By releasing out of cycle, the maintenance window is greater and could potentially impact both administrators and users. If Microsoft takes the pace of releasing new updates at the pace of Google, administrators will need to greatly expand their patch maintenance window.”
Asked if this move spelt the beginning of the end of Patch Tuesday, Henry said: “No – for OS-level patches and some application patches you have the issue of reboots to consider. Further, many applications allow user extensions that can be broken with a patch. Simply put, we need a better sense of order and I do not see that being ‘set on auto pilot' any time soon.”