The silent auto update feature, found only in Google's Chrome browser, results in a more secure user base, according to a study conducted by the search engine giant and the Swiss Federal Institute of Technology (SFIT).
To get security news and tips delivered to your inbox,
The Chrome auto update, which cannot be turned off by users, works in the background and automatically updates the browser with the latest feature updates and security fixes. A report prepared by researchers at SFIT and Google Switzerland analyzed anonymous Google logs to determine that a 97% share of active Google Chrome users were using the latest Google Chrome 1.x version, three weeks after a new release.
By comparison, Mozilla's Firefox browser pushed out an update to users faster, but its user base never reached more than an 85% usage share for its latest version within 21 days of the release. The report's authors, Thomas Duebendorfer and Stefan Frei, wrote that the lower usage share could be a result of the browser's obtrusive user prompt requiring a restart when a new release is pushed out.
Johnathan Nightingale of Mozilla's security team said the report's findings must be understood in a broader context. Mozilla prides itself on informing users, he said.
Will Google Chrome enhance overall browser security? Expert John Strand reviews Google Chrome's browser security features and what the new tool will mean for enterprise IT teams.
What are the basics of a Web browser exploit? John Strand explains how attackers target a flaw in either the browser or in an application that the browser calls to process a Web request.
"We make certain choices, like telling users when security updates happen, and not automatically upgrading users to new 'major' versions … because we think it's important to give our users that information and choice," Nightingale said. "We also ship on multiple operating systems some of whom, like Linux, use their system-wide update systems instead of the one built in to Firefox."
Other browsers with manual update processes that required user interaction faired poorly in the Google study. Only 24% of Opera users downloaded the latest version three weeks after the new release, meanwhile, 53% of users on a 3.x version of Apple's Safari browser downloaded the new version within 21 days of its release.
The study's researchers were not able to measure Microsoft Internet Explorer's update effectiveness, citing technical reasons.
"Given that Microsoft Internet Explorer is updated through the operating system, much like Apple Safari but with optional auto-download of any browser update (and not just important ones as in OS X), we would expect Internet Explorer's update performance to be between that of Apple Safari and Mozilla Firefox," Duebendorfer and Frei wrote.
Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., said that silent auto updates could help improve browser security, but associated plug-in technology such as Flash, QuickTime and Java will remain at risk.
"It is vital that patch roll-outs are faster than exploit development," he wrote in an email message. "Clearly, as the research shows, what we are doing now is not working."
Plug-in software vendors may be able to implement a similar patching mechanism for the approach to be more comprehensive, Grossman said.
While silent, automatic software updates may go a long way to improve patching of Web browsers. It's unlikely that it could work with other applications, said network security expert Marcus Ranum, CSO of Tenable Network Security Inc. The software industry would need to reinvent its entire delivery model to transform the patching process, an issue that is stymied by economic interests, Ranum said. It could happen over the next two decades, he said.
"The long-term story is that we need to completely solve the problem of system administration and make inroads on software quality and right now we're not positioned to do either," Ranum said. "The problem with silent auto updates is that a lot of critical systems can't handle suddenly being told 'reboot yourself' by Microsoft or whoever."
Ranum also questioned whether users should trust vendors to deploy a patch at will. Vendor interests are not always in line with customer interests, he said. The larger issue is that software vendors are not producing strong enough code, he said.
"Enshrining patching as a core process for IT is an admission that we've utterly failed to tackle system administration and software quality; both of which are crucial problems for the future of computing," he said.