Slashdot Mirror
Microsoft Rushes Internet Explorer Patch
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
I found this this morning in my Windows Updater log :
"
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Installation date: 12/18/2008 3:01 AM
"
I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.
I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".
Firefox updates upon the point of relaunch. There is no need to restart windows. Also it remembers the context of every session in every tab, so you can continue where you left off.
Starbucks, Harbuckle of Breath.
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
Also, telling it you want to be notified of available updates (similar to Firefox's behaviour) is nowhere near as convenient as the way Firefox handles simply installing its own update and then restarting with your windows and tabs reopened to where you were last.
- Michael T. Babcock (Yes, I blog)
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
I'm more of a Linux man, but I know this is wrong. If you set auto updates to download and notify for installation, you can choose which updates to apply.
True, true, and true. But that doesn't change the fact that IE only runs on Windows and 99% of Windows users have Automatic Updates turned on, usually checking weekly. So you're usually looking at a max "lag time" of seven days before an IE user gets the patch. And that assumes the worst possible case: the patch releases right after that user's computer was updated, and they use their computer (and IE) every day.
Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to /usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.
But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.
Actually, you can - I've done exactly this on my home PC, which was installed from a corporate license (had an MSDN subscription at the time). You need to go through the process manually once - you select everything other than WGA, and when it asks if you really want to ignore that update, you check the box that says something like 'Never ask me about this update again', and click OK. Now, I still get all the critical updates installed automatically, but never have WGA installed on my PC. It's been like that for several years now.
Weekly? The default is to check every day at 3am. If it's turned on and left at the default (like most people do with FireFox), they'll be notified this morning and able to install it right away.