Google study backs browser silent auto update feature

By Robert Westervelt, News Editor 08 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The silent auto update feature, found only in Google's Chrome browser, results in a more secure user base, according to a study conducted by the search engine giant and the Swiss Federal Institute of Technology (SFIT).

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Chrome auto update, which cannot be turned off by users, works in the background and automatically updates the browser with the latest feature updates and security fixes. A report prepared by researchers at SFIT and Google Switzerland analyzed anonymous Google logs to determine that a 97% share of active Google Chrome users were using the latest Google Chrome 1.x version, three weeks after a new release.

By comparison, Mozilla's Firefox browser pushed out an update to users faster, but its user base never reached more than an 85% usage share for its latest version within 21 days of the release. The report's authors, Thomas Duebendorfer and Stefan Frei, wrote that the lower usage share could be a result of the browser's obtrusive user prompt requiring a restart when a new release is pushed out.

Johnathan Nightingale of Mozilla's security team said the report's findings must be understood in a broader context. Mozilla prides itself on informing users, he said.

Browser security: Internet Explorer 8 includes a bevy of security features: Experts praise the IE 8 security features, but say browser makers have a long way to go in preventing the browser from being a hacker's favorite mode of attack. Will Google Chrome enhance overall browser security? Expert John Strand reviews Google Chrome's browser security features and what the new tool will mean for enterprise IT teams. What are the basics of a Web browser exploit? John Strand explains how attackers target a flaw in either the browser or in an application that the browser calls to process a Web request.

"We make certain choices, like telling users when security updates happen, and not automatically upgrading users to new 'major' versions … because we think it's important to give our users that information and choice," Nightingale said. "We also ship on multiple operating systems some of whom, like Linux, use their system-wide update systems instead of the one built in to Firefox."

Other browsers with manual update processes that required user interaction faired poorly in the Google study. Only 24% of Opera users downloaded the latest version three weeks after the new release, meanwhile, 53% of users on a 3.x version of Apple's Safari browser downloaded the new version within 21 days of its release.

The study's researchers were not able to measure Microsoft Internet Explorer's update effectiveness, citing technical reasons.

"Given that Microsoft Internet Explorer is updated through the operating system, much like Apple Safari but with optional auto-download of any browser update (and not just important ones as in OS X), we would expect Internet Explorer's update performance to be between that of Apple Safari and Mozilla Firefox," Duebendorfer and Frei wrote.

Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., said that silent auto updates could help improve browser security, but associated plug-in technology such as Flash, QuickTime and Java will remain at risk.

"It is vital that patch roll-outs are faster than exploit development," he wrote in an email message. "Clearly, as the research shows, what we are doing now is not working."

Plug-in software vendors may be able to implement a similar patching mechanism for the approach to be more comprehensive, Grossman said.

SearchSecurity radio:

While silent, automatic software updates may go a long way to improve patching of Web browsers. It's unlikely that it could work with other applications, said network security expert Marcus Ranum, CSO of Tenable Network Security Inc. The software industry would need to reinvent its entire delivery model to transform the patching process, an issue that is stymied by economic interests, Ranum said. It could happen over the next two decades, he said.

"The long-term story is that we need to completely solve the problem of system administration and make inroads on software quality and right now we're not positioned to do either," Ranum said. "The problem with silent auto updates is that a lot of critical systems can't handle suddenly being told 'reboot yourself' by Microsoft or whoever."

Ranum also questioned whether users should trust vendors to deploy a patch at will. Vendor interests are not always in line with customer interests, he said. The larger issue is that software vendors are not producing strong enough code, he said.

"Enshrining patching as a core process for IT is an admission that we've utterly failed to tackle system administration and software quality; both of which are crucial problems for the future of computing," he said.

Tags: Web Browser Security,  Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research Software Development Methodology Microsoft extends SDL program, adds Agile development template Malware in Google attacks uses spaghetti code Self-defending Web applications thwart attacks Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Should security tests be part of a software quality assurance program? Does an EULA make it truly illegal to decompile software?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary