Microsoft recently decided to follow Google’s lead and automatically update Internet Explorer, taking the choice of when and whether to update the browser out of the hands of users. A Microsoft Security Intelligence report detailed that 99% of all attacks were for unpatched-but-known vulnerabilities. Will these IE automatic security updates cause problems for enterprises?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Better threat protection when surfing the Net is likely the main reason software vendors like Google and Microsoft are moving toward automatic updates as the norm, removing the problem of update fatigue for users. Microsoft’s Security Intelligence Report found less than 1% of exploits in the first half of 2011 were against zero-day vulnerabilities, whereas 99% of all attacks distributed malware through social engineering and unpatched-but-known vulnerabilities.
These stats explain why Microsoft has decided to initiate IE automatic updates; namely to ensure all IE users are on the most current version. By helping users follow security best practices, attacks that target outdated software like Web browsers will fail. Simply changing how IE updates itself should greatly reduce the number of PC malware infections. People use browsers more frequently than any other software, so keeping them updated is critical to keeping users safe online. Wider deployment of the most up-to-date browser benefits the Web in other ways too. As one example, developers and businesses can leverage better browsers to deliver richer and more engaging Web services.
Enterprise administrators who wish to maintain control over when browsers update can still use the IE8 and IE9 Automatic Update Blocker toolkits to manage the update process. These toolkits provide the capability to delay a deployment until an update has been fully tested to ensure it won’t cause any application compatibility issues.
However, modern browsers are more standards-compliant and network administrators need to weigh the risks of delaying updates against the risk of the update adversely affecting other software or systems. Installing an untested update that breaks a mission-critical application potentially causes more damage than a malware infection, though in reality, few browser updates are released that do actually cause problems. Personally, I’ve never come across one, and a poll of the readers of the TechRepublic Microsoft Windows Blog showed only 5% of respondents reported patches of any kind had broken their system, while 72% said they very seldom or never did.
If you run a relatively up-to-date and standard operation that is not mission critical, but feel your organization is a possible hacker target, then you should roll out browser updates immediately without running a test. If you have a legacy or aging infrastructure that has suffered from patch-compatibility problems in the past, or you're dealing with a system that is mission critical, then you should still run a patch test prior to installing new patches.
This was first published in April 2012