Slashdot Mirror
Microsoft Rushes Internet Explorer Patch
drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"
Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.
Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.
I found this this morning in my Windows Updater log :
"
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Installation date: 12/18/2008 3:01 AM
"
If Microsoft had the same reputation that Mozilla did for their updates not screwing the pooch then maybe I would consider using that kind of auto-update feature.
Then again, I only use Firefox, and would never consider using IE. At one point do even common household users realize that IE is not the way to go?
No -- Firefox is at the disadvantage. If you're a single user running as administrator, its auto-update is great. However, the users (all running limited accounts) on our Windows/Samba network will have to wait until I install the new update manually because there is no built in mechanism for administrators to push out updates.
And should I use my cobbled together scripts to push out a security update for Firefox on the last day of finals when it might break everything, or should I wait until Monday?
On the other hand, the WSUS server that I set up worked exactly like it was supposed to last night.
Tightly bound indeed. I've been postponing the inevitable reboot all day long (GMT here). It's ridiculous to need a reboot just for a browser update.
I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.
I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".
Perhaps this is because Microsoft so tightly binds IE to the operating system
Not perhaps.
I believe the engineering term is "reap what you sow, bitches."
Per application autoupdates are a horrendous pain. Each one has its own, completely idiosyncratic configuration mechanism, its own schedule, and its own behavior. A lot of them will run(but fail in various annoying ways) under limited user accounts, and they are utterly useless in an environment where firewalls or similar block application downloads on client machines.
I can understand why companies use them, since the alternative typically involves things sitting unpatched for ever and ever; but the whole thing is a mess. Hurray for package management.
Firefox updates upon the point of relaunch. There is no need to restart windows. Also it remembers the context of every session in every tab, so you can continue where you left off.
Starbucks, Harbuckle of Breath.
IE is at a disadvantage because it doesn't have a built in update mechanism? Seriously?
IE updates are managed thru a single interface, windows update, and windows update is actually one small thing windows gets mostly right. I don't want every god awful program under the sun phoning home ON ITS OWN to god knows where and updating itself without my knowledge.
However I do want a convenient method to make sure I'm getting updates I may need from a trusted source. Windows update is better than programs phoning home on their own. Short of having an update repository for 3rd party apps like Linux distros do things, thats about the best you can hope for...
That is, unless you like the google software updater, apple software updater, etc, running all the time soaking up resources and generally being non-value added.
Overclockers
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
Also, telling it you want to be notified of available updates (similar to Firefox's behaviour) is nowhere near as convenient as the way Firefox handles simply installing its own update and then restarting with your windows and tabs reopened to where you were last.
- Michael T. Babcock (Yes, I blog)
The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."
I'm more of a Linux man, but I know this is wrong. If you set auto updates to download and notify for installation, you can choose which updates to apply.
True, true, and true. But that doesn't change the fact that IE only runs on Windows and 99% of Windows users have Automatic Updates turned on, usually checking weekly. So you're usually looking at a max "lag time" of seven days before an IE user gets the patch. And that assumes the worst possible case: the patch releases right after that user's computer was updated, and they use their computer (and IE) every day.
doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone
Indeed, you can't have it automatically update a critical browser flaw, but say 'no' to the 1673rd revision of "Windows Genuine Advantage".
[Insert pithy quote here]
With Vista they've made it doubly annoying, as Windows Defender gets updates *all* the time. So if you've got it set to notify, you get a whole lot of nagging. If only you could pre-approve Windows Defender updates...
jh
If the user isn't bright enough to read the patch list, then why are you trusting them to selectively patch the OS?
Set windows update to automatic and be done with it.
I have yet to run into an average user with a properly working computer who has had a problem with something pushed through Windows Update.
The bad thing about IE not having the built in updater is that this patch required a freaking reboot for a browser patch!!
That is just stupid.
The great thing about this fiasco is that I was able to convince several people who had been un-willing to move to Firefox or Opera to now do so.
Thanks Microsoft!
Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to /usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.
But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.
While I would agree with you in theory, your ideas don't match up with what I've seen in the real world.
Until recently I worked in a mom and pop PC repair business. About 9 out of 10 systems I worked on were out of date, typically by a few months. I don't know for sure, but my guess is that users are switching auto-update off because can't be bothered with 'nag' messages from their software.
Granted, the machines I saw were generally dying, so it may not be a fair cross-section of home computer users. Still, the idea that 99% of home users should have new patches within a week flies in the face of what I saw every day.
Dangerous, sexy, turing complete: Femme Bots
Apple has resolved this issue. Now they try to install Safari in addition to Quicktime and Itunes.
Actually, you can - I've done exactly this on my home PC, which was installed from a corporate license (had an MSDN subscription at the time). You need to go through the process manually once - you select everything other than WGA, and when it asks if you really want to ignore that update, you check the box that says something like 'Never ask me about this update again', and click OK. Now, I still get all the critical updates installed automatically, but never have WGA installed on my PC. It's been like that for several years now.
Weekly? The default is to check every day at 3am. If it's turned on and left at the default (like most people do with FireFox), they'll be notified this morning and able to install it right away.
Your comment shows ignorance.
When FF needs to install critical patches it restarts itself & conserves as much context as possible.
When windows needs to install critical patches it reboots the system & loses all context. Even if you delay the reboot to finish critical tasks the reminder that you need to reboot pops up periodically with reboot preselected. If you were performing an unrelated task & happen to hit enter at the wrong time the system reboots without saving your work possibly corrupting it.
I've seen it happen a few times & people do switch browsers after being burnt or seeing it happen to colleagues, but I suppose you'll just stick your fingers in your ears, close your eyes & mumble your prayers to the Redmond God to spare you...
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue