Microsoft announces plans to silently update Internet Explorer

Microsoft is to provide silent updates to Internet Explorer in what it calls "an enormous step in helping to maneuver the internet forward".

According to an announcement by Ryan Gavin, general manager of Internet Explorer business and marketing, customers in Australia and Brazil who've turned on automatic updating via Windows Update stands out as the first to get the updates.

“Similar to our release of IE9 earlier this year, we're going to take a measured approach, scaling up over the years. As always, when upgrading from one version of Internet Explorer to the following through Windows Update, the user's home page, search provider, and default browser remains unchanged,” said Gavin.

“We need to make updating to the right protection possible as fast and straightforward as we are able to for Windows customers. Internet Explorer is how millions of Windows customers hook up with the online, so keeping that portion of Windows updated all the time is important to keeping them safe online. With automatic updates enabled through Windows Update, customers can receive IE9 and future versions of Internet Explorer seamlessly with none ‘update fatigue' issues.”

Enterprises could be ready to update their browsers on their schedule, and Gavin said the net Explorer 8 and 9 Automatic Update Blocker toolkits will prevent upgrades for Windows customers who do not need them.

“We firmly believe that IE9 is essentially the mostsome of the most compelling browser for business customers, and we'd like them to make the call to upgrade at their convenience,” he said.

“Similarly, customers who've declined previous installations of IE8 or IE9 through Windows Update shouldn't be automatically updated. Customers find a way to uninstall updates and continue to receive support for the version of IE that came with their copy of Windows.”

Consumers may also have the opportunity to block the update and upgrade manually.

Microsoft said it built IE9 with a focus on modern web standards and interoperability so developers could spend less time coding for specific browsers and concentrate on building 'the next big thing at the web'. The beta launch of IE9 in September 2010 was noted for its similar features to Google Chrome, and follows Google's move to silently update Chrome.

Talking to SC Magazine, Paul Henry, security and forensic analyst at Lumension, said that instead of replicating Google, Microsoft is just doing what's essential to reduce risk.

Asked if this may be better for IT managers, Henry said: “Web browsers became a first threat vector and barely require a reboot after a patch, making them a very good candidate for automated patching to cut back the respective threat envelope. That being said, there's still the difficulty of third party add-ons to the browser that this would not address.

“The impact on users might be minimal; however, the impact on an enormous community of users might possibly be large when it comes to bandwidth. It truly is assumed flaw remediation vendors will quickly move to adding order to the method for you to handle distribution from a centralised server to cut back or a minimum of control the impact.”

Wolfgang Kandek, CTO of Qualys, called this "good security news" because it will eliminate the pop-up window that currently allows users to opt-out or postpone the update.

He said: “Being at the newest possible Internet Explorer (IE8 on WIndows XP, IE9 on Vista/Win7) brings a major increase in security and robustness to malware infections due to the better architecture, sandboxing and the included URL filtering feature.

“Overall this variation is in keeping with the brand new update mechanisms coming in Windows 8, so as to make the general update experience much smoother for Windows users. As expected, Enterprise users that control their patches tightly is probably not plagued by the change; they can continue to have full control over the versions in their browsers.

“For anybody interested by staying on their old browser, Blocker Toolkits for both IE8 and IE9 upgrades can be found for download at Microsoft and their settings will remain honored.”

Jeremiah Grossman, chief technology officer and founder of WhiteHat Security, said: “Automatic updates are an effective idea according to every bit of security research I've seen. Keeping software modern, particularly web browsers, is necessary for online security. With that during mind, I'm pleased that Microsoft is moving toward an automated update model, particularly since their approach balances the desires of enterprise customers who still want a mechanism to regulate software updates.”

Jason Miller, manager of analysis and development at VMware, said: “As Microsoft stated, the number 1 attack vector to take advantage of vulnerabilities is thru browsers. Currently, Microsoft releases updates for his or her Internet Explorer browser bi-monthly but this can be a long period between updates.

“However, very rarely, Microsoft will release a patch out-of-band if there's a zero-day exploit it really is actively being exploited inside the wild. Inside the last three years, Microsoft has gone out-of-band to release an update for Internet Explorer independent of Patch Tuesday 3 times.

“Releasing new versions of the browser more often will greatly increase the safety of network computers and their browsers. One of the crucial challenges administrators will face is understanding when these updates are released. Currently, administrators know an update for Internet Explorer will fall at the second Tuesday of each other month. By releasing out of cycle, the upkeep window is larger and will potentially impact both administrators and users. If Microsoft takes the pace of releasing new updates on the pace of Google, administrators might want to greatly expand their patch maintenance window.”

Asked if this move spelt the start of the top of Patch Tuesday, Henry said: “No â€" for OS-level patches and a few application patches you've got the difficulty of reboots to think of. Further, many applications allow user extensions that may be broken with a patch. Simply put, we'd like a stronger sense of order and that i don't see that being ‘set on auto pilot' any time soon.”