Wednesday, May 6, 2009

Patching the Web browser silently...

There's a new security paper out on the relative strengths of the patching methods used within Google's Chrome, Mozilla's Firefox, Apple's Safari and gold old Opera. The paper titled "Why Silent Updates Boost Security" was written by Thomas Duebendorfer and Stefan Frei, and progresses the studies Thomas, Stefan, Martin May and I did last year on Web browser insecurity with "Understanding the Web Browser Threat".

I'd recommend you take the time to read the paper. But for those that find themselves pressed for time, and need the highlights...
  • The paper analyzes the relative effectiveness of Web browser updating mechanisms in use by Chrome, Firefox, Safari and Opera.
  • Analysis is based upon access to anonymized logs from Google's Web servers. (Which I'm sure you'll agree are damned extensive!)
  • Back in June 2008, the previous study found that Firefox had the most successful update mechanism. Since then, Google's Chrome browser has appeared, and it's updating mechanism has been found to be even more successful (with certain caveats).
  • Chrome's silent update mechanism allowed users of the Web browser to update faster - subject to the user knowing that updates have been applied and that they need to restart the browser.
I think this is great work that Thomas and Stefan have done. Their findings not only backup the importance of improving security updating features in software, but also provide teh varification of which systems tend to work better.

Theres still work to be done though. Patching the Web browser in a prompt and reliable fashion is a critical element in improving desktop security - but it's not the only one. I'd place plug-in patching at the same level (if not a knotch or two higher) on the criticality scale.

I'd like to see Google or Firefox take the lead in enforcing a similar method of patching for all plug-in's accessible via their Web browser technologies - either silently patching those plug-in's or prompting users to patch immediately and, if the plug-in isn't patched, disabling it's usage from the Web browser until it is updated.

No comments:

Post a Comment