Automatic updates: There has to be a better way

Pushing security patches to users automatically is the fastest way to fix vulnerabilities, but it's easy to go too far -- as Microsoft has shown

It's an unpleasant fact: Programmers write buggy code. It's not their fault. Given the complexity of modern software development platforms, bugs are inevitable. What matters is that programmers acknowledge bugs when they arise and that they take steps to correct them before they can cause any harm.

Case in point: Internet Explorer. Microsoft's browser has long been recognized as a major vector for malware and other exploits, owing to its infamously permissive design and a seemingly endless string of security vulnerabilities. So when Microsoft released a critical security update to IE in mid-April, it should have been cause for celebration. Microsoft's developers were doing their jobs. Another security hole had been closed.

[ Roger A. Grimes is skeptical of iron-clad browser security in his blog post, "The curious case of the invulnerable Web browser" | Learn more about securing your systems with InfoWorld's Security Adviser blog and newsletter. ]

Except the update wasn't just another security patch. It was Internet Explorer 8 -- an entirely new, major-numbered version of the browser. Users who agreed to install it found that it took the place of their old version of IE. Users who didn't ... well, they would have to be brave enough to ignore a "critical security update." Decisions, decisions.

Setting a new standard with IE8
There's a strong argument to be made for what Microsoft did. Older versions of Web browsers are notoriously noncompliant with W3C standards; older versions of IE, doubly so. With IE8, Microsoft is in the unique position to twist every IE user's arm into installing the latest version, thereby creating a new de facto standard on the Windows platform. And IE8 is the most standards-compliant version to date. For Web developers, it could be a godsend.

Then again, IE8's adherence to standards means it doesn't behave exactly like IE7, or IE6, or IE5. And like it or not, all too many enterprise applications have been written to the unique quirks and foibles of those particular browser versions. For that, Microsoft has no one to blame but itself. After all, it released the noncompliant browsers in the first place. For a company that has invested so heavily in backward compatibility for Windows to willingly risk breaking all of those legacy IE-only Web apps by pushing out a new version of the browser now seems unappreciative at best.

Unfortunately, the comparison to Windows is all too appropriate. The phrase "surfing the Web" has long since lost its original meaning. Modern browsers connect users to online applications as sophisticated as anything that has ever run on a PC desktop. They are complete software platforms unto themselves. In fact, if the browser continues its ascent, desktop operating systems as we have known them may eventually lose their relevance altogether. For Microsoft to charge into these waters so recklessly is seriously risky business.

Who decides what code gets pushed?
And yet there are the bugs. In the bad old days, customers needed to check software vendors' Web sites periodically to find out if any new security fixes were available. In the best-case scenario, they could subscribe to a newsletter. And even then, they had to download and install the updates themselves. Microsoft's Windows Update feature was an important step in the right direction, as was the auto-update feature introduced in Firefox 1.5, among others.

But it's easy to go too far with automatic updates. Microsoft isn't alone in pushing the boundaries with its Web browser. Google Chrome, for example, installs Google Update, a service that runs in the background, silently downloading and installing new releases of the browser without the user's knowledge -- and Google is encouraging others to follow its lead. And Apple was arguably the worst of all when it tried to push its Safari browser to users of its QuickTime software for Windows, whether they were interested in trying a new browser or not.

Fortunately, Microsoft's IE8 update turns out to be less insidious than it could have been. Even if you download the update automatically, you have to explicitly confirm that you want it before it will install. And if you get cold feet and decide to remove it via the Add/Remove Programs control panel, upon reboot you'll find you've simply been rolled back to your previous version of Internet Explorer. It wasn't deleted at all; it's just hiding. No harm, no foul.

Still, software vendors need to find a balance between automation and cooperation for security updates. Users have a right to know what software is being installed on their PCs, when, and for what reason. At the same time, they have a responsibility to keep their computers up to date with the latest security patches, so they don't become vectors for botnets, worms, and other malware. It's just good Net hygiene.

Forewarned is forearmed
Maybe the problem is that software vendors simply aren't giving users enough information to make the right choices. Maybe every software update should offer users a thorough yet easy-to-understand explanation before it installs. It could go something like this:

Dear user: We goofed. When we wrote the version of our software that you're using now, we thought it was really swell. We were wrong. It contains bugs that can be exploited by criminals on the Internet. If you continue to use it, every time you use your PC you will be vulnerable to spyware, viruses, identity theft, and worse. The patch we are offering you now will fix those vulnerabilities -- we think -- but there's a catch. It also changes the feature set and the behavior of the software, so it may not work the same way that it did before. It might not even work properly with other software that it worked with before, which means you won't be able to use that software anymore. The choice is yours.

Somehow, however, I doubt such a note would make it past the marketing department.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies