Automatic updates: There has to be a better way
Pushing security patches to users automatically is the fastest way to fix vulnerabilities, but it's easy to go too far -- as Microsoft has shown
Follow @McAllisterNeilIt's an unpleasant fact: Programmers write buggy code. It's not their fault. Given the complexity of modern software development platforms, bugs are inevitable. What matters is that programmers acknowledge bugs when they arise and that they take steps to correct them before they can cause any harm.
Case in point: Internet Explorer. Microsoft's browser has long been recognized as a major vector for malware and other exploits, owing to its infamously permissive design and a seemingly endless string of security vulnerabilities. So when Microsoft released a critical security update to IE in mid-April, it should have been cause for celebration. Microsoft's developers were doing their jobs. Another security hole had been closed.
[ Roger A. Grimes is skeptical of iron-clad browser security in his blog post, "The curious case of the invulnerable Web browser" | Learn more about securing your systems with InfoWorld's Security Adviser blog and newsletter. ]
Except the update wasn't just another security patch. It was Internet Explorer 8 -- an entirely new, major-numbered version of the browser. Users who agreed to install it found that it took the place of their old version of IE. Users who didn't ... well, they would have to be brave enough to ignore a "critical security update." Decisions, decisions.
Setting a new standard with IE8
There's a strong argument to be made for what Microsoft did. Older versions of Web browsers are notoriously noncompliant with W3C standards; older versions of IE, doubly so. With IE8, Microsoft is in the unique position to twist every IE user's arm into installing the latest version, thereby creating a new de facto standard on the Windows platform. And IE8 is the most standards-compliant version to date. For Web developers, it could be a godsend.
