May 5th, 2009
Study: Silent patching best for securing browsers
Google’s decision to silently update the Chrome browser — without the user’s knowledge or consent – has put the company at the head of the pack when it comes to securing modern Web browsers.
That’s the big takeaway from a new study that argues that silent updaters are the most effective way to ensure the widest possible distribution of security patches. The study, conducted jointly by Google Switzerland and Swiss Federal Institute of Technology, found that auto-updates that ship with Chrome and Mozilla’s Firefox worked best at delivering patches while the distribution mechanism used by Microsoft, Opera and Apple left a lot to be desired.
For years, security practitioners have argued against silent patching, warning that end users should know — and consent to — what’s being changed on the machine but, according to this latest study, the silent updaters in browsers enhance security:
With silent updates, the user does not have to care about updates and system maintenance and the system stays most secure at any time. We think this is a reasonable default for most Internet users. Further more, silent updates are already well accepted for Internet Web applications.
…Our measurements prove that silent updates and little dependency on the underlying operating system are most effective to get users of Web browsers to surf the Web with the latest browser version. However, there is still room for improvement as we found. Google Chrome’s advantageous silent update mechanism has been open sourced in April 2009. We recommend any software vendor to seriously consider deploying silent updates as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins.
[ SEE: Skeletons in Microsoft's Patch Day closet ]
The report called attention to Opera’s weak patch release/update mechanism:
Opera browser users apparently don’t update frequently. After three weeks of a new release, a disappointing maximum of 24% active daily users of Opera 9.x have the newest Opera browser installed. It’s a pity that 76% of Opera 9.x users currently don’t benefit from the security improvements and new features of new Opera versions within three weeks of its release. If some engineering time were spent on increasing update effectiveness instead of working on new features, this would eventually benefit many more users. We also recognize an outlier, namely Opera 9.61, which got replaced after nine days of its release. .
Apple’s Safari also fared poorly:
A mere maximum 53% share of Apple Safari 3.x Web browser users benefit from an update within three weeks of its release. With newer releases of Apple Safari 3.2.x versions, the update effectiveness drops considerably lower. The reason is that Apple put the bar higher to who is eligible for updates to Apple Safari 3.2.x by requiring Mac OS X Tiger 10.4.11 or higher or Mac OS X Leopard 10.5.5 or higher with Security Update 2008-007 installed. Given that Apple Safari 3.2.1 reaches only 33% on day 21 after release, that’s an additional 20% of Apple Safari 3.x users that were left behind since Apple Safari 3.2.x came out.
“All in all, the poor update effectiveness of Apple Safari and Opera gives attackers plenty of time to use known exploits to attack users of outdated browsers,” the researchers warned.
The researchers were not able to track Internet Explorer’s browser updating because Microsoft only reports the major version number and omits the minor version number in the user agent string.
However, the study called on Microsoft to rethink its Patch Tuesday release cycle for Internet Explorer updates:
A fixed patch schedule mainly benefits the patch management processes of larger corporations - organizations which are typically better protected against Internet threats than the masses of individual users. Based on our measurements and the evolution of the threats towards end-users we suggest that software vendors release patches for attack exposed applications, such as Web browsers and plug-ins, as soon as they are available - while keeping a patch schedule for less attack exposed applications. We believe that there is room for a better trade-off to benefit overall security.
ALSO READ:
- Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari
- IE vs Firefox: Microsoft crunches security numbers
- Study: Firefox wins browser time-to-patch race
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
