Microsoft recently decided to follow Google’s lead and automatically update Internet Explorer, taking the choice...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
of when and whether to update the browser out of the hands of users. A Microsoft Security Intelligence report detailed that 99% of all attacks were for unpatched-but-known vulnerabilities. Will these IE automatic security updates cause problems for enterprises?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: firstname.lastname@example.org.
Better threat protection when surfing the Net is likely the main reason software vendors like Google and Microsoft are moving toward automatic updates as the norm, removing the problem of update fatigue for users. Microsoft’s Security Intelligence Report found less than 1% of exploits in the first half of 2011 were against zero-day vulnerabilities, whereas 99% of all attacks distributed malware through social engineering and unpatched-but-known vulnerabilities.
These stats explain why Microsoft has decided to initiate IE automatic updates; namely to ensure all IE users are on the most current version. By helping users follow security best practices, attacks that target outdated software like Web browsers will fail. Simply changing how IE updates itself should greatly reduce the number of PC malware infections. People use browsers more frequently than any other software, so keeping them updated is critical to keeping users safe online. Wider deployment of the most up-to-date browser benefits the Web in other ways too. As one example, developers and businesses can leverage better browsers to deliver richer and more engaging Web services.
Enterprise administrators who wish to maintain control over when browsers update can still use the IE8 and IE9 Automatic Update Blocker toolkits to manage the update process. These toolkits provide the capability to delay a deployment until an update has been fully tested to ensure it won’t cause any application compatibility issues.
However, modern browsers are more standards-compliant and network administrators need to weigh the risks of delaying updates against the risk of the update adversely affecting other software or systems. Installing an untested update that breaks a mission-critical application potentially causes more damage than a malware infection, though in reality, few browser updates are released that do actually cause problems. Personally, I’ve never come across one, and a poll of the readers of the TechRepublic Microsoft Windows Blog showed only 5% of respondents reported patches of any kind had broken their system, while 72% said they very seldom or never did.
If you run a relatively up-to-date and standard operation that is not mission critical, but feel your organization is a possible hacker target, then you should roll out browser updates immediately without running a test. If you have a legacy or aging infrastructure that has suffered from patch-compatibility problems in the past, or you're dealing with a system that is mission critical, then you should still run a patch test prior to installing new patches.
Dig Deeper on Web Browser Security
Related Q&A from Michael Cobb
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Google's second Android Security Report revealed changes and upgrades made to the OS. Expert Michael Cobb covers the important takeaways for ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.