Microsoft, beginning in January, will automatically upgrade Windows customers to the latest version of IE available for their PC, Ryan Gavin, senior director of IE, said in a blog post Thursday. The Redmond, Wash.-based computing giant's move to embrace what is known as “silent updates” follows actions already taken by Google, which pioneered the concept for its Chrome web browser in 2009, and Mozilla, which announced recently it is working on a mechanism for automatic Firefox updates.
Microsoft is aiming to better protect users from threats, such as social-engineered malware, which often targets out-of-date web browsers, Gavin said.
“The web overall is better – and safer – when more people run the most up-to-date browser,” he wrote. “Our goal is to make sure that Windows customers have the most up-to-date and safest browsing experience possible, with the best protections against malicious software, such as malware.”
Industry experts agreed that silent updates are a step forward for security.
“Silent updating is generally seen as a big improvement to security on the internet,” Wolfgang Kandek, CTO of vulnerability management firm Qualys, wrote in a blog post Thursday.
Kandek referenced a study conducted by researchers at the Swiss technical university ETH, which found that 97 percent of Chrome users updated their browser within three weeks of a new version release, compared to 85 percent of Firefox users, 53 percent of those using Apple Safari, and 24 percent of Opera users. Silent updates allow systems to stay secure “most of the time,” take some of the onus for security off users, and shorten the window of opportunity attackers have to use known exploits against outdated browsers, according to the study.
Microsoft said that beginning in January, IE will be silently upgraded for customers who have opted-in to automatic updates on the Windows Update service. It will begin first with customers in Australia and Brazil, then “take a measured approach, scaling up over time.” The silent update will eliminate the pop-up window that currently allows users to opt-out or postpone available browser upgrades, Kandek said.
Users who have declined previous installations of IE8 and 9 will not be automatically updated. Additionally, customers can uninstall updates and continue to receive support for the copy of IE they purchased with Windows.
Enterprise users who tightly control their patches will not be affected, as they will still have full control over the versions of their browsers, Kandek said.