Google's stealth updates: Why no one else gets away with it

How has Google managed to get users to accept its patches while other software vendors' updates are ignored or condemned?

Google has a big advantage over competitors when it comes to pushing out patches for Chrome and other software products: The company can, by default, automatically update users' systems on Windows and Apple platforms. That's good for Google and for users in that it ensures people are running the newest, most secure version of the company's wares, which in turn helps to keep Google off top 10 lists of vendors with the most exploitable software. But Google seems to be the exception to the rule, and dealing with unpatched software remains a huge issue for the industry.

According to Kaspersky Lab, for example, Adobe and Java software now accounts for all 10 of the most popular successful exploits. Yet most of the holes discovered in those offerings are patched relatively quickly after public disclosure; it's just that people aren't downloading the patches. According to Zscaler's latest "State of the Web" security report, for example, more than 56 percent of enterprise Adobe Reader users are running an outdated version. This trend is not overly different for many of the world's most popular applications.

[ Download Roger Grimes's new "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]

For example, according to Microsoft (my full-time employer), only 3 percent of Microsoft Office exploits targeted vulnerabilities that had been patched in the preceding year; put another away, 97 percent of exploits targeted vulnerabilities for which patches had been available for a year or more. Fifty-six percent of successful exploits were against systems that had not patched Office 2003 since the day it was installed; more than five years had gone by without a single patch.

When I go over to friends' houses to help clean up malware, I almost always see hundreds of megabytes of patches begging to be installed, with apps sending pop-up messages asking if it's OK to install, only to have the user delay over and over again. My friends always ask, "Should I update this thing?" Uh, yes.

These types of statistics and experiences probably makes you wonder why all the major vendors can't automatically update their software without end-user approval, like Google does with its Chrome browser and other products. (For clarification, Google Chrome only automatically updates on Windows and Apple platforms by default. Auto-updating can be managed or disabled. On Linux platforms, updates are covered using the normal update mechanisms.)

The major answer is that any update from any vendor can potentially cause operational issues. If an update causes operational issues, there's a potential for a lawsuit. Microsoft was lambasted years ago for updating its automatic update mechanism, even though it caused no operational problems, was configurable, and warned the user performing the installation.

It's true, to a degree, that if vendors better tested their patches, users wouldn't be scared to automatically accept updates. But in a world where there are millions of customized applications and hundreds of thousands of different hardware components, no vendor can perform 100 percent comprehensive compatibility testing.

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline