Microsoft today said it will silently upgrade Internet Explorer (IE) starting next month, arguing that taking the responsibility out of the hands of users will keep the web safer.
The move is an acknowledgement by Microsoft that Google's model -- its Chrome browser has updated in the background without user involvement since it debuted more than three years ago -- is the right one.
"It's the future ... for all software," said Andrew Storms, director of security operations at nCircle Security. "At this point, at least in the consumer space, people are expecting software to be up to date, and for it to do it itself."
Microsoft must agree. Beginning in January it will roll out automatic upgrades of IE to the newest version suitable for a user's version of Windows. Windows XP users still on IE6 or IE7, for example, will be updated to IE8; Windows Vista or Windows 7 users running IE7 or IE8 will be pushed to IE9.
Previously, Microsoft has asked for user permission before upgrading IE from one version to the next, even if Windows' automatic updates are enabled.
The company will debut the new practice in Australia and Brazil next month, then expand the program gradually to other markets. Microsoft declined today to set a timetable for U.S. users.
"I think auto-updating is a great step in the right direction for Microsoft," said Wolfgang Kandek, chief technology officer at Qualys, and someone who has urged Microsoft to institute silent upgrades since 2009. "I see this as an acknowledgement that auto-updating has worked very well, at least as far as a single component, like a browser, goes."
While Chrome is the only browser that currently upgrades to the next version without asking users for permission, Mozilla is working on doing the same with Firefox.
Originally hoping to add background updates to Firefox 10, Mozilla has recently pushed back the schedule and now aims to finalize the feature in Firefox 12, slated to ship April 24, 2012.
Microsoft's scheme differs from either Mozilla's or Google's, however, in that the company will let enterprises retain control of upgrades. Nor will it force updates on consumers who have already declined earlier offers to abandon an older IE.
Under its plan, IE will be silently upgraded only to those users who have opted in to automatic updates on the Windows Update service.
"[And] customers who have declined previous installations of IE8 or IE9 through Windows Update will not be automatically updated," Microsoft promised in a Thursday blog post.
Enterprises running WSUS (Windows Server Update Service), the most popular business patching and updating tool, or other patch management systems will not be affected.
"They're basically saying that if you set group policies through WSUS [to block automatic upgrades] that they're not going to override that," said Storms.
Companies and individuals can also deploy the blocking toolkits that Microsoft had previously crafted for both IE8 and IE9 to stymie any auto-updating. Those kits can be downloaded from Microsoft's website.
In future editions of IE -- meaning IE10 and beyond -- Microsoft will include an opt-out setting that users can select to disable automatic upgrades. While Chrome does not have such a setting, Firefox will when it eventually launches silent updates.
Both Storms and Kandek thought that Microsoft hit the right balance between its desire to get consumers on the newest IE and its traditional conservatism where enterprises are concerned.
IE security updates, which are delivered every other month through Windows updates, will not be affected, as they are already silently downloaded and applied if users opt in to automatic updates.
But the move gives Microsoft a new way both to kill off its aged browsers -- it's run an anti-IE6 campaign for over two years, going so far as to host an IE6 "deathwatch" website -- and pick up the development pace if it wanted.
The timespan between IE8 and IE9 was approximately a year -- fast by Microsoft's previous standard -- and the company seems committed to delivering IE10 a year after IE9.
Chrome and Firefox, meanwhile, change version numbers approximately every six weeks, letting their developers add features as they're completed rather than holding them for months until the next release cycle.
The change may also be a realization that IE needs to regularly refresh, as do Chrome and Firefox, in the increasingly competitive browser market.
In the last 12 months, IE has lost 7.8 percentage points in usage share, according to Net Applications, while Chrome has gained 8.6 points and Firefox has slipped by 1.4 points. At its current loss rate, IE will fall under the 50% mark as early as February 2012.
Even Windows 7 users, which Microsoft regularly touts as its target audience, haven't rushed to adopt IE9, which debuted in March 2011. Currently, IE9 accounts for just under 25% of all browsers running on Windows 7, even though Microsoft concluded its non-automatic IE8-to-IE9 upgrade offer last June.
And Microsoft should expect some backlash, said Storms.
"That will happen. It's the natural knee-jerk reaction," he said, referring to the complaints regularly voiced whenever silent updates are discussed. Those grievances generally revolve around users anxious about losing control over what's planted on their PCs. "But because of the way they're doing it -- they're going to honor your choice, there's still a way to opt out -- I don't think it will be serious," Storms continued.
Kandek predicted little fallout from the move.
Overall, the experts applauded Microsoft for taking a long-overdue step.
"It's an opportunity for them to go with the tide," said Storms. "Every other browser does it, and the quality of Microsoft's IE patches and updates have been tremendous. So why not let Microsoft do it automatically?"