Mozilla seems to be following the lead of Google and Microsoft with its inclusion of a silent auto-updater in Firefox 13. Adobe also included the feature in Flash 11.2. Will silent auto-updaters benefit user security on the whole, or will they cause application-compatibility issues?
Ask a question
SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email at firstname.lastname@example.org.
Silent auto-updaters install the most recent patch or version onto an installed browser or software product without first obtaining permission from the user or administrator. The main reason software vendors are moving toward silent updating is to ensure better threat protection when users are surfing the Web. Silent updates can prevent attacks that target outdated Web browsers and popular Web software programs, greatly reducing the number of PCs that are infected by malware.
Even the perception of silent updates being invasive is changing to these updates being convenient for users. Wider deployment of the most up-to-date software also benefits businesses, giving developers the ability to leverage features that deliver richer and more engaging Web services.
Unforeseen application-compatibility issues when a browser or software version has been silently updated is also far less of a problem nowadays. For example, DLL Hell, a situation in which one application would install a newer version of an existing DLL with unanticipated functionality changes, has been essentially eradicated in recent versions of Windows because Windows File Protection protects system DLLs from being updated or deleted by unauthorized programs.
However, application compatibility problems may occur when silent updates are imposed upon legacy or aging infrastructures that are running outdated and officially unsupported operating systems and applications. In such cases, network administrators need to weigh the risks of delaying updates against the risk of the updates adversely affecting software or systems. Fortunately, administrators can still delay deployment until the update has been fully tested to ensure that it won't cause any application-compatibility issues. For Windows environments, administrators can use the IE8 and IE9 Automatic Update Blocker toolkits to manage the update process. Firefox can also be set to automatically download and install updates or check for updates but not install them without prior permission.
Because the user does not have to worry about updates and maintenance, meaning the system stays more secure at any time, enabling silent updates is a reasonable default for most Internet users. Because Google's Updater is open source, an increasing number of software vendors are likely to start incorporating silent updates into their programs.
This was first published in August 2012