Microsoft today said it will silently upgrade Internet Explorer (IE) starting next month, arguing that taking the responsibility out of the hands of users will keep the Web safer.
The move is an acknowledgement by Microsoft that Google's model -- its Chrome browser has updated in the background without user involvement since it debuted more than three years ago -- is the right one.
"It's the future ... for all software," said Andrew Storms, director of security operations at nCircle Security. "At this point, at least in the consumer space, people are expecting software to be up to date, and for it to do it itself."
Microsoft must agree. Beginning in January it will roll out automatic upgrades of IE to the newest version suitable for a user's version of Windows. Windows XP users still on IE6 or IE7, for example, will be updated to IE8; Windows Vista or Windows 7 users running IE7 or IE8 will be pushed to IE9.
Previously, Microsoft has asked for user permission before upgrading IE from one version to the next, even if Windows' automatic updates are enabled.
The company will debut the new practice in Australia and Brazil next month, then expand the program gradually to other markets. Microsoft declined today to set a timetable for U.S. users.
"I think auto-updating is a great step in the right direction for Microsoft," said Wolfgang Kandek, chief technology officer at Qualys, and someone who has urged Microsoft to institute silent upgrades since 2009. "I see this as an acknowledgement that auto-updating has worked very well, at least as far as a single component, like a browser, goes."
While Chrome is the only browser that currently upgrades to the next version without asking users for permission, Mozilla is working on doing the same with Firefox.
Originally hoping to add background updates to Firefox 10, Mozilla has recently pushed back the schedule and now aims to finalize the feature in Firefox 12, slated to ship April 24, 2012.
Microsoft's scheme differs from Mozilla's, however, in that the company will let enterprises retain control of upgrades, and from Google's, which offers no opt-out for consumers. Microsoft will also not force updates on consumers who have already declined earlier offers to abandon an older IE.
Under its plan, IE will be silently upgraded only to those users who have opted in to automatic updates on the Windows Update service.
"[And] customers who have declined previous installations of IE8 or IE9 through Windows Update will not be automatically updated," Microsoft promised in a Thursday blog post.
Enterprises running WSUS (Windows Server Update Service), the most popular business patching and updating tool, or other patch management systems will not be affected.
"They're basically saying that if you set group policies through WSUS [to block automatic upgrades] that they're not going to override that," said Storms.
Companies and individuals can also deploy the blocking toolkits that Microsoft had previously crafted for both IE8 and IE9 to stymie any auto-updating. Those kits can be downloaded from Microsoft's website.
In future editions of IE -- meaning IE10 and beyond -- Microsoft will include an opt-out setting that users can select to disable automatic upgrades. While Chrome does not have such a setting, Firefox will when it eventually launches silent updates.
Both Storms and Kandek thought that Microsoft hit the right balance between its desire to get consumers on the newest IE and its traditional conservatism where enterprises are concerned.