“Silent updating,” writes Kandek in the Qualys blog The Laws of Vulnerabilities, “is generally seen as a big improvement to security on the Internet.” He points to the study by Thomas Duebendorfer (Google) and Stefan Frei (Computer Engineering and Networks Laboratory, Switzerland) as corroboration. “Being on the newest possible Internet Explorer (IE8 on Windows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.”
Attitudes towards phoning home by vendors have come a long way since Microsoft launched its Windows Genuine Advantage, an anti-piracy system that enforces online validation of the operating system. At the time there was a degree of mistrust in Microsoft and much outrage that this effectively amounted to spyware. Challenged that silently updating software as important and integral as the browser can only be good if there is total trust in the vendor, and that Microsoft has in the past not always enjoyed that trust, Kandek replied that the behavior of the company and attitudes towards it have changed. “Microsoft today has a remarkably successful security program and is openly and transparently working with security experts, exchanging information and ideas.”
Perhaps confirming this more open and flexible approach, the Microsoft announcement also stresses the company’s desire to strike the right balance between consumers and enterprises, that is, “getting consumers the most up-to-date version of their browser while allowing enterprises to update their browsers on their schedule.” Along with the silent update for consumers, Microsoft is also providing Automatic Update Blocker toolkits for both IE8 and IE9 for enterprises.
Kandek suggests that both Windows 7 and Office 2010 implement a number of security improvements in their default setup largely because they involved extensive testing with “both internal Microsoft resources and external security consultants.” This more open attitude towards security is seen as underpinning the security industry’s improved attitude towards Microsoft and has led to a very stable patch track record for the company. “I believe we are today,” says Kandek, “at a level where Windows workstations can be updated starting immediately after the release of the patches and shooting for a complete roll-out within one week.”
Given, then, that users can generally trust Microsoft to do the right thing and to do it well, the remaining question is whether this new silent update will be of benefit. “It is possible for Microsoft to make a mistake,” admits Kandek, “but I think this would be unintentional. Organizations need to weigh this possibility against the very intentional attacks by malware that are happening every day.”
Effective and zealous patching of user applications is considered to be a major tool in the fight against cybercrime. Microsoft’s own research has shown that the majority of detected cyber attacks occur a full two months after the vulnerability has been patched. Silent updating will automatically safeguard users from all of these attacks. “The best way to deal with malware is not to detect and neuter it,” concludes Kandek, “but to prevent the infection in the first place; which can be done by applying critical patches as quickly as possible.”