Silent patching works, but at what cost?
Last week, the ZDNet Zero Day blog summarized a report by researchers from Google Switzerland and ETH Zurich as follows:
Google’s decision to silently update the Chrome browser — without the user’s knowledge or consent – has put the company at the head of the pack when it comes to securing modern Web browsers.
Indeed, the report noted that, unsurprisingly, the less user intervention and aggravation required to update the browser, the more likely the browser is to be up to date on a given user's machine. It concludes by trumpeting Google's own Chrome browser as a success for using silent updates that successfully keep users' browsers patched. It goes on to encourage other browsers to adopt a similar strategy.
While the technical mechanism in question sounds like an effective and efficient way to update browsers, the lack of user control inherent in Chrome's system is concerning. There is no clear notice during installation or operation of the software that it will be updating itself automatically. (I didn't read the entire EULA, but then, neither will most users.) There is also no obvious place in the program's options screen for disabling this feature, in case you want to test using different builds or have some particular objection to auto updates or a particular change in a newer version.
StopBadware has always been committed to the principle that users should be presented with the information and options necessary to make decisions about how software is installed, updated, and used on their computers. Google should be applauded for seeking new ways to increase browser security, but it should also be held to the highest standards for disclosure and user choice.
What are your thoughts about Google Chrome's silent updating? Let us know over at BadwareBusters.org.