A paper comparing the update mechanisms for several different webbrowsers was published by Google and ETH Zurich yesterday. The full text can be found here, with a blog post accompanying it. As expected, Firefox and Chrome are updated fastest; Firefox because of the in-your-face warnings when a new version is available, and Chrome because updates are installed automatically without any user intervention at all.

While successful automatic updates are good for security, there are some potential problems. One of them is the risk for malicious updates; since Google has released the source code for their updater (Omaha), anyone that wishes to do so can check whether or not they want to trust this mechanism for updates.

The paper suggests that users are already used to automatic, silent updates:

Interestingly, this optimal case is actually widely in use nowadays with software as a service in the form of Web based (e.g. AJAX) applications. Code in many Web application implementations changes frequently without the user even noticing it as most is done “under the hood” and not visible in the user interface.

I think that comparing updates of web applications to automatic updates of a webbrowser is comparing apples to oranges; for one thing, the SaaS provider controls the entire environment that is running the application, reducing the risk of unexpected failures and making it easy to roll back an update in case of problems. It’s also easier to verify the correct updates are installed if the entire environment is under the control of a single entity.

Another issue is deciding which updates should ask for user approval. I know I wouldn’t have been happy if Firefox had decided to update itself from version 2.0 to 3.0 automatically.

But, on the whole, I agree that more applications should do automatic updates or, at the very least, warn the user if they might be out of date. And I completely agree with one of the conclusions of the paper: having security updates depend on other updates is a bad idea.

In the case of Apple Safari 3.2.1, we have noticed that coupling browser and operating systems and consequently requiring the user to have a recent operating system patch level in order to be eligible to install a browser update should be avoided. Apple left an additional 20% of Apple Safari 3.x users behind with an outdated browser version compared to the previous update to Apple Safari 3.1.2, which did not have these requirements.