Why Silent Updates Boost Security
Venue
ETH Zurich (2009), pp. 1-9
Publication Year
2009
Authors
Thomas Duebendorfer, Stefan Frei
BibTeX
Abstract
Security fixes and feature improvements don't benefit the end user of software if
the update mechanism and strategy is not effective. In this paper we analyze the
effectiveness of different Web browsers update mechanisms; from Chrome's silent
update mechanism to Opera's update requiring a full re-installation. We use
anonymized logs from Google's world wide distributed Web servers. An analysis of
the logged HTTP user-agent string that Web browsers report when requesting any Web
page is used to measure the daily browser version shares in active use. To the best
of our knowledge, this is the first global scale measurement of Web browser update
effectiveness comparing four different Web browser update strategies. Our
measurements prove that silent updates and little dependency on the underlying
operating system are most effective to get users of Web browsers to surf the Web
with the latest browser version. However, there is still room for improvement as we
found. Chrome's advantageous silent update mechanism has been open sourced in April
2009. We recommend any software vendor to seriously consider deploying silent
updates as this benefits both the vendor and the user, especially for widely used
attack-exposed applications like Web browsers and browser plug-ins.
