Study: Silent patching best for securing browsers

Study: Silent patching best for securing browsers

Summary: Google's decision to silently update the Chrome browser -- without the user's knowledge or consent --  has put the company at the head of the pack when it comes to securing modern Web browsers.That's the big takeaway from a new study that argues that silent updaters are the most effective way to ensure the widest possible distribution of security patches.

SHARE:

Google's decision to silently update the Chrome browser -- without the user's knowledge or consent --  has put the company at the head of the pack when it comes to securing modern Web browsers.

That's the big takeaway from a new study that argues that silent updaters are the most effective way to ensure the widest possible distribution of security patches.  The study, conducted jointly by Google Switzerland and Swiss Federal Institute of Technology, found that auto-updates that ship with Chrome and Mozilla's Firefox worked best at delivering patches while the distribution mechanism used by Microsoft, Opera and Apple left a lot to be desired.

For years, security practitioners have argued against silent patching, warning that end users should know -- and consent to -- what's being changed on the machine but, according to this latest study, the silent updaters in browsers enhance security:

With silent updates, the user does not have to care about updates and system maintenance and the system stays most secure at any time. We think this is a reasonable default for most Internet users. Further more, silent updates are already well accepted for Internet Web applications.

...Our measurements prove that silent updates and little dependency on the underlying operating system are most effective to get users of Web browsers to surf the Web with the latest browser version. However, there is still room for improvement as we found. Google Chrome's advantageous silent update mechanism has been open sourced in April 2009. We recommend any software vendor to seriously consider deploying silent updates as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins.

[ SEE: Skeletons in Microsoft's Patch Day closet ]

The report called attention to Opera's weak patch release/update mechanism:

Opera browser users apparently don't update frequently. After three weeks of a new release, a disappointing maximum of 24% active daily users of Opera 9.x have the newest Opera browser installed. It's a pity that 76% of Opera 9.x users currently don't benefit from the security improvements and new features of new Opera versions within three weeks of its release. If some engineering time were spent on increasing update effectiveness instead of working on new features, this would eventually benefit many more users. We also recognize an outlier, namely Opera 9.61, which got replaced after nine days of its release. .

Apple's Safari also fared poorly:

A mere maximum 53% share of Apple Safari 3.x Web browser users benefit from an update within three weeks of its release. With newer releases of Apple Safari 3.2.x versions, the update effectiveness drops considerably lower. The reason is that Apple put the bar higher to who is eligible for updates to Apple Safari 3.2.x by requiring Mac OS X Tiger 10.4.11 or higher or Mac OS X Leopard 10.5.5 or higher with Security Update 2008-007 installed. Given that Apple Safari 3.2.1 reaches only 33% on day 21 after release, that's an additional 20% of Apple Safari 3.x users that were left behind since Apple Safari 3.2.x came out.

"All in all, the poor update effectiveness of Apple Safari and Opera gives attackers plenty of time to use known exploits to attack users of outdated browsers," the researchers warned.

The researchers were not able to track Internet Explorer's browser updating because Microsoft only reports the major version number and omits the minor version number in the user agent string.

However, the study called on Microsoft to rethink its Patch Tuesday release cycle for Internet Explorer updates:

A fixed patch schedule mainly benefits the patch management processes of larger corporations - organizations which are typically better protected against Internet threats than the masses of individual users. Based on our measurements and the evolution of the threats towards end-users we suggest that software vendors release patches for attack exposed applications, such as Web browsers and plug-ins, as soon as they are available - while keeping a patch schedule for less attack exposed applications. We believe that there is room for a better trade-off to benefit overall security.

ALSO READ:

Topics: Apple, Browser, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

187 comments
Log in or register to join the discussion
  • Unreal

    if any other company tried this crap, they'd be crucified. Google is the
    Obama of the tech world. It can do anything and people still love it.
    frgough
    • Google protects against malware

      But everything Google produces is spyware!
      jorjitop
      • But Google Says Its Spyware Free

        Then again, people actually buy that.
        Let's see if I have this right. ALL a company has to do is say "No spyware! No malware" and people will download it? They are going to accept the word of a company that would steal your info, just because THEY say it's spyware free?
        Good luck with that one.
        LegendsOfBatman
        • Google analytics says otherwise

          I guess it it's a matter of what's tech chic nowadays. I'd never use Chrome because of it.
          hasta la Vista, bah-bie
          • You'd not use something just because

            you have to change one single option in it to make
            it work the way you want? Sad.
            AzuMao
          • What's so sad about that?

            What's even sadder is you're a sheeple who allows google's spyware to collect all sorts of information about you.

            If you have no problem being put on spam lists, then I say go for it. But don't patronize others because they see it otherwise.
            ubiquitous one
          • Can't read huh?

            Or just playing dumb on purpose?

            There's a checkbox, you untick it, "problem"
            solved. Or is that to complicated for you MS
            fanbois?

            P.S. I do have no problem being on spam lists,
            mainly because gmail works great at filtering
            out spam, and thunderbird catches anything it
            misses.
            AzuMao
          • You trust that?

            lol... :D

            [i]Or just playing dumb on purpose?[/i]

            No, I'm just enlightening you as to why I don't put my faith in a company who's sole interest is to throw a few hip, chic freebies your way in order to become a part of their captive audience.

            [i]There's a checkbox, you untick it, "problem"
            solved. Or is that to complicated for you MS
            fanbois?[/i]

            Yeh, and I have a bridge to sell you. Wholesale. Unless you believe in their dummy check boxes. lol again...

            Which is also why I use the CustomizeGoogle extension in Firefox.

            https://addons.mozilla.org/en-US/firefox/addon/743

            It's not 100% foolproof, but it does cut down the on the information that Google gathers about people's surfing habits. With an average of 16,000 downloads of it per week, I'd say it's good cause for concern for a lot of people.

            [i]P.S. I do have no problem being on spam lists,mainly because gmail works great at filtering out spam, and thunderbird catches anything it misses.[/i]

            There's other spam out there besides email. Even crappy hotmail and yahoo have gotten a lot better about spam in recent years.

            Oh yes, and I have a gmail account, too. Don't use it much, though...
            Wintel BSOD
          • Okay...

            Thanks for "enlightening me" that I'm being
            spammed. I never would have realized it without
            you. I guess since the spam never reaches my
            inbox
            I have no reason to care about it. Not sure how
            this is "blind faith", though, since the (lack)
            of
            spam is easy to see with my own eyes.

            But, hey, to each his own. You keep on hating
            for
            no reason, doesn't change a thing.




            Edit: never mind, I get it now. You were just
            being sarcastic. Sorry I didn't get it sooner,
            sarcasm conveys very poorly over the net these
            days.
            AzuMao
          • Okay

            [i]Thanks for "enlightening me" that I'm being
            spammed.[/i]

            You're welcome. lol...

            [i]I never would have realized it without
            you. I guess since the spam never reaches my
            inbox I have no reason to care about it.[/i]

            Glad to hear that your filters are working. God knows we don't have to add more, now do we...

            [i]Not sure how this is "blind faith", though, since the (lack) of spam is easy to see with my own eyes.[/i]

            Well how about this. I don't appreciate a company holding on to my surfing habits for over a year with my IP attached to it, and then targeting ads towards where I go and what I do. I do not believe they are a benevolent corporation, looking out for my own good. Capice?

            If you have blind faith in them and think nothing of it, then Google's the right corporation for you. Go for it.

            [i]But, hey, to each his own. You keep on hating for no reason, doesn't change a thing.[/i]

            There's valid reasons out there. You're just in denial, that's all.

            http://en.wikipedia.org/wiki/Criticism_of_Google


            [i]Edit: never mind, I get it now. You were just being sarcastic. Sorry I didn't get it sooner, sarcasm conveys very poorly over the net these days.[/i]

            Why apologize. I was only [b]partially[/b] being sarcastic, just as you were with your last Edit statement here. I pretty much meant every word I said.
            Wintel BSOD
          • Huh?

            I thought they recorded your search history no
            matter what browser you used. Not on blind faith
            though, just on common sense; if they are going to
            record searches on their site, why only do it for
            one browser? I read the page you sent me, but it
            didn't back up your claim at all. You can call
            this denial if you want, but it's just reading
            comprehension.
            AzuMao
          • What it is you don't understand?

            You wanted examples why I don't trust Google, I gave them to you. You choose not to believe them, that's your thing, not mine.

            [i]I thought they recorded your search history no matter what browser you used. Not on blind faith though, just on common sense; if they are going to record searches on their site, why only do it for one browser?[/i]

            They don't, but why should I afford them an opportunity to include their own spyware in the browser they supply?

            As I mentioned before, FF has a neat little plug-in that defeats a lot of what you'd normally have to deal with when it comes to Google, even without Chrome.

            [i]I read the page you sent me, but it
            didn't back up your claim at all. You can call
            this denial if you want, but it's just reading
            comprehension.[/i]

            You asked me why I hated them, I supplied you the reasons for it. Try not to be too obfuscating about it, k? You aren't even very good about it.
            Wintel BSOD
          • No..

            I wanted examples of what was so bad about Chrome,
            since you were obviously being sarcastic and
            implying it was spyware/malware. But all you did
            was link some page about some people being upset
            over their search engine logging searches. How is
            that even relevant at all? You can change the
            search engine Chrome uses to something else you
            know. Takes all of four left clicks. Seven if it
            isn't on the list.
            AzuMao
          • Yes

            Gee, you want more proof?

            http://news.cnet.com/8301-17939_109-10032047-2.html

            http://blogoscoped.com/archive/2008-09-07-n33.html

            Then they had to do this when the heat got too tough...

            http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9114369&intsrc=hm_list

            Will Chrome allow you to block Google's own ads with an Adblock-like plugin?

            How about Flash Block?

            Or NoScript?

            I really don't understand why some people think Google's so great beyond their search engine. I've been totally unimpressed with what I've seen so far.
            Wintel BSOD
          • "More"?

            You haven't provided any so far...


            The first link is just repeat of what I've already
            answered, as is the third. The second is "Oh no,
            Google has become very popular, so maybe they will
            take over the world!!".. get real.
            AzuMao
    • MS Did It, Got Crucified

      Something like 2 years ago, MS was silently updating the Windows Updater, and it caused some problems with both MS apps and 3rd party software. Microsoft was beaten up heavily over the whole issue of installing updates of any sort without user approval.

      Frankly, no software should ever update itself or install any components without user approval. This is unacceptable, no matter what the intentions of the developers. One more expample of how Naraine's losing it recently.

      Like his recent announcement of the first Mac Botnet. He only missed it by 3 years. http://voices.washingtonpost.com/securityfix/2006/03/when_macs_attack.html
      Snagglegaster-19929872174467528481394836508114
      • That's exactly what I was thinking.....

        MS sent out a few "silent upgrades" and did get crucified by the press, corporate, and security consultants.

        Microsofts actions were branded a "conspiracy" and soon every "tin foil hat" out there was suggesting that MS was injecting unknown code into your system to track your every movement. (very little sarcasm) ;)

        So I guess whatever Googles does is "goodness" and whatever Microsoft does is "badness".

        This definitely relegates Chrome to the "know nothings" that won't know what broke the application they use on the web, but then I guess Google doesn't care because all they are supposed to be using are Google Apps.

        It is ridiculous to say silent patching is a good practice. It's only a good practice when you don't want the IT personnel to know how botched the code was to start with or what vectors were open to malware injection.
        dunn@...
        • "goodness"

          Of COURSE whatever Google does is "goodness". Thier very corporate SLOGAN is "Do no evil" RIGHT??? (Massive sarcasm) ;-)
          CitizenW
        • invisible updates are fine with me, so long as the vender is trusted

          MS lost the worlds trust years ago because they kept releasing broken patches. it's going to be many years of flawless patch releases before they earn that trust back. I'm a little upset with firefox right now after the botched 3.0.9 release. but for the most part their patches are safe. my linux box is set to update every night because i trust the vender. those patches are not only tested by the folks releasing the software, but also by my distros package maintainer.

          i would honestly like to see every web browser set to invisible update. likewise for the plugins, firewalls, virus scanners, malware scanners and all operating system security patches.
          brokndodge@...
          • It's not like there's some kind of problem even if they aren't.

            It's optional. If you don't want auto updates,
            disable auto updates. It's just a default setting
            (so that idiots don't run around with outdated
            browsers and get infected by god knows what), not
            mandatory.
            AzuMao