Should Microsoft decouple IE from Patch Tuesday?

Should Microsoft decouple IE from Patch Tuesday?

Summary: A security researcher wants Microsoft to follow the lead of other browser makers and start fixing Internet Explorer security problems outside of the Patch Tuesday cycle to help contain the Windows malware epidemic.

SHARE:
TOPICS: Browser, Microsoft
14

A security researcher wants Microsoft to follow the lead of other browser makers and start fixing Internet Explorer security problems outside of the Patch Tuesday cycle to help contain the Windows malware epidemic.

[ Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities ]

According to Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, IE's dominant userbase and high risk profile exposes Windows users to a wide range of malicious hacker attacks but, despite years of warnings, business users are not rushing to install IE patches ahead of other critical updates (see chart below).

[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]

The chart, powered by data collected by Qualys over the last six months, shows that critical IE patches are applied in very much the same speed as other high-priority updates.

I had a chat with Kandek about his findings and he was adamant that the risk presented by a critical IE vulnerability is higher than another critical flaw in another piece of software that doesn't interact directly with the Internet.

  • "Every month when Microsoft issues it security advisories we get asked what patch to apply first. Typically we are reluctant to elevate one vulnerability over the other, however looking at the 2008 data we agree that Internet Explorer vulnerabilities should be given the highest priority and patched first. The browser is the heaviest used software application that interacts with the Internet, the most likely source of malicious content. It is not only used for professional purposes but also in private interactions – e-commerce, social networking, private e-mail, etc. Browser patches are heavily tested by Microsoft and unlikely to break any existing functionality on the desktop.

Unfortunately, Kandek says the vulnerability data shows that companies treat browser patches just like all other patches -- their deployment cycle correlates very closely with other critical patches.

The answer?   Kandek argues that Microsoft should borrow from the Mozilla Firefox playbook and fit an automatic-update utility directly into IE to handle patching on the fly.

"Think about it.  There's a very big exposure area.  Hackers are increasingly targeting the browser. Enterprises are on a tight patch schedule.  If IE got moved out of Patch Tuesday, won't it be better?" he added.

[ GALLERY: How to configure Internet Explorer to run securely ]

"Patches would be deployed faster and we would have a healthier IE population," Kandek added, nothing that IE add-ons like Flash and other media players would benefit from an automatic update tool embedded in the browser.

The Qualys data was culled from 9.5 million IP scans per month.

* Hat tip to Gregg Keizer at ComputerWorld.

Topics: Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • that's an excellent idea

    And Microsoft should just copy what Firefox does with the patch cycle. It would probably nip a few security issues in the bud.
    Larry Dignan
    • A Thought

      I wonder, is today's IE sufficiently decoupled from the operating system
      that an automatic or semi-automatic update can occur without side
      effect to other applications? With Firefox, I think we can be pretty sure
      that the consequences of a bad patch would be confined to Firefox.

      If IE is orthogonal, then the push patching would be a good idea.
      DannyO_0x98
    • Better idea...

      Decouple IE from the operating system.... period. Users should be allowed to remove IE completely and install a different browser. If you want IE, then great.... but I don't.
      shawkins
  • I agree.

    It *is* an excellent idea. I've seen some people here deselect IE patches from Windows Update so their updates don't take as long. I think they'd be less likely to this way.
    clfitz
  • Do you hear that Microsoft.

    Learn from the professionals. It's really sad that an 800lb Gorilla like Microsoft has to take lessons from the new kids on the block.
    Intellihence
  • I say decouple Tuesdays from patches.

    Frankly, the whole scheduled patches thing was a bad idea. No good came from it - it only created zero day exploits.
    CobraA1
    • Learn from History

      All of these folks that say 'it's a good idea to have patches come out whenever' I'm guessing did not patch 5 years ago when they did indeed do just that.

      It wasn't fun. You never knew when you'd be patching.

      No good came from that era either. Look back in history. We did that. It didn't work either.
      Bitzie
  • RE: Should Microsoft decouple IE from Patch Tuesday?

    The first thing they need to do is rebuild IE, from the ground up, and make security the number one priority. IE has always been the most unsecure browser on the planet, and will remain so until it is changed.
    ator1940
  • Good but possibly bad

    There's a lot of EMR and finance apps that require IE that I work with regularly. If MS automatically patched a vulnerability it could wreak havoc. These software companies are usually smaller, specialized companies who often have somewhat shoddy code. They may be using something that gets corrected in the browser. I could only imagine coming back from lunch one day with 5 clients on the phone at once because their software suddenly doesn't work.

    I say do it, but let admins still control it with WSUS. It would be WAY better for the consumer and most small offices.
    LiquidLearner
    • How do you test today ?

      LiquidLearner,

      that is a good point, it makes sense to have admins override the patch schedules, but the default should be patch immediately. I have 1 application myself that only works under IE as well, however it never broke because of an IE patch.

      How do you deal with IE patches today, do you test them before they get deployed ? How often have they broken your applications ?

      wkandek@...
  • RE: Should Microsoft decouple IE from Patch Tuesday?

    Not only from patch Tues. but from the OS. The only reason for it to be in the OS was to kill Netscape which it did. Some browsers use bits and pieces of IE to function. If IE is decoupled, then some browsers would need a rewrite to be functional as a standalone entity. Hopefully they would be more secure as a standalone.
    Disgruntled_MS_User
  • Decouple IE from the OS

    If the damned browser wasn't wormed into Windows, then Windows would be less open to and less EASY to attack. (see Lin*x; Mac; Unix et al - even old os/2!)
    maxfried
  • RE: Should Microsoft decouple IE from Patch Tuesday?

    Those are less vulnerable, because of their relatively small market share. And last time I checked, every Mac came with a copy of Safari.

    Your mistake is thinking that the reason that Windows is attacked so much is because it's easy. It's attacked, because no other platform can generate as much money for the attackers as windows.

    90% of the market means a very small percentage of machines has to be infected to exceed what could be generated on any other platform.

    It's a numbers game, just like Telemarketing used to be.
    notsofast
  • RE: Should Microsoft decouple IE from Patch Tuesday?

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut