Microsoft recently decided to follow Google’s lead and automatically update Internet Explorer, taking the choice...
of when and whether to update the browser out of the hands of users. A Microsoft Security Intelligence report detailed that 99% of all attacks were for unpatched-but-known vulnerabilities. Will these IE automatic security updates cause problems for enterprises?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Better threat protection when surfing the Net is likely the main reason software vendors like Google and Microsoft are moving toward automatic updates as the norm, removing the problem of update fatigue for users. Microsoft’s Security Intelligence Report found less than 1% of exploits in the first half of 2011 were against zero-day vulnerabilities, whereas 99% of all attacks distributed malware through social engineering and unpatched-but-known vulnerabilities.
These stats explain why Microsoft has decided to initiate IE automatic updates; namely to ensure all IE users are on the most current version. By helping users follow security best practices, attacks that target outdated software like Web browsers will fail. Simply changing how IE updates itself should greatly reduce the number of PC malware infections. People use browsers more frequently than any other software, so keeping them updated is critical to keeping users safe online. Wider deployment of the most up-to-date browser benefits the Web in other ways too. As one example, developers and businesses can leverage better browsers to deliver richer and more engaging Web services.
Enterprise administrators who wish to maintain control over when browsers update can still use the IE8 and IE9 Automatic Update Blocker toolkits to manage the update process. These toolkits provide the capability to delay a deployment until an update has been fully tested to ensure it won’t cause any application compatibility issues.
However, modern browsers are more standards-compliant and network administrators need to weigh the risks of delaying updates against the risk of the update adversely affecting other software or systems. Installing an untested update that breaks a mission-critical application potentially causes more damage than a malware infection, though in reality, few browser updates are released that do actually cause problems. Personally, I’ve never come across one, and a poll of the readers of the TechRepublic Microsoft Windows Blog showed only 5% of respondents reported patches of any kind had broken their system, while 72% said they very seldom or never did.
If you run a relatively up-to-date and standard operation that is not mission critical, but feel your organization is a possible hacker target, then you should roll out browser updates immediately without running a test. If you have a legacy or aging infrastructure that has suffered from patch-compatibility problems in the past, or you're dealing with a system that is mission critical, then you should still run a patch test prior to installing new patches.
Related Q&A from Michael Cobb
Expert Michael Cobb explains how an HTTP referer header affects user privacy and outlines changes that can be made to ensure sensitive data is not ...continue reading
Expert Michael Cobb explains the difference between the REESSE3+ and IDEA block ciphers and explores when each is applicable in an enterprise setting.continue reading
While cookies are critical to delivering personalized Web content, they are a privacy concern. Learn how adding Bloom filters to cookies can help ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.