back to article Built-in browser expiry proposed to fight botnet menace

Nearly half (45.2 per cent) of all internet surfers neglect to regularly update their browser software. Slackness in applying updates in a timely fashion leaves an estimated 637 million surfers vulnerable to drive-by download attacks, according to a new survey. Figures in the survey come from a study of user-agent data …

COMMENTS

This topic is closed for new posts.
  1. Tim
    Stop

    IE updates

    I get my updates from windows update, but the missus got hold of it once and installed IE7 by accident. Now i have a computer with the really slow vista style crappy browser, rather than the slightly faster IE6. Forcibly making people do this will give them the hump.

  2. Anonymous Coward
    Thumb Down

    T&Cs

    If there are guarantees that new versions will be free (or at least, free to people who have legitimate copies of the old version) and will not require new terms and conditions to be agreed to then I don't see a problem with this, but without those guarantees I can see there being some resistance to upgrading to the first version that comes with an enforced 'best before' date.

  3. Conrad Longmore
    Black Helicopters

    IE6 is not out of date

    IE6 is not "out of date".. well, apart from the fact that it is a truly crappy browser and it is inherently less secure than almost anything else. Microsoft still roll out patches for IE6 (usually every month) - using a fully patched IE6 installation is going to be more secure than using an unpatched IE7 installation, so the IE6 vs IE7 argument doesn't really hold water.

    Also, there are a fair few corporate machines still running Windows 2000. IE7 isn't supported on that platform for whatever reason, IE6 is still the latest version (and is still supported).

  4. Anonymous Coward
    Anonymous Coward

    IE updates

    One reason I'd suspect that they don't get updated much is becouse Microsoft patches restart your computer. And instead of messing around with figuring out how to stop it from doing that people just turn the auto updaters off.

    There are few things more annoying to find your computer restarted in the morning deleting work you'd rather not of had deleted.

  5. Webster Phreaky
    Stop

    deleted work?

    "There are few things more annoying to find your computer restarted in the morning deleting work you'd rather not of had deleted."

    Crikey! So Windows now deletes your work files when it restarts? It's even worse than I thought...

    If you're too lazy to click "Save" before leaving your PC then you get what you deserve!

  6. Marco van de Voort

    Dial-up

    One of the reasons that this hasn't be done till now are the vast, but relative silent masses that are still on dial-up. I enabled updates and get a FF update of a few MBs several times a month, wouldn't like that on dialup, specially since the risks on dialup are already way lower.

  7. James Dunmore
    Happy

    Auto Updates?!

    FF and opera check for the latest version at startup and randomly during your session and say "do you wish to upgrade". Therefore the browser can be updated there and then when needed, and not mixed into an update a month next tuesday or whatever it is.

    No need for a best before if it's done automagically is there?!

  8. Doug Glass
    Joke

    O I C

    The ultra intelligent gurus can't figure out to solve their problems so their solution is to force "corrective action" on others. Following that logic General Motors should install auto update features (no pun intended) in their cars that force the driver into the nearest dealership to "upgrade" their soon-to-be non-functioning vehicle to a new one. Maybe it would just have "reduced functionality" a la M$ and you can start the engine but the transmission wont engage. Of course that new vehicle would have new tires which are safer ... I guess.

    Somehow the idea of being forced into an action, either good or bad, with a piece of equipment I own outright just doesn't sit too well. Of course I have the option of no surfing and going back to my real life. Which may be the ultimate answer to all computer related problems.

  9. Leo Maxwell
    Gates Horns

    firefox updates

    Thing is FF updates only restart the browser, not the PC, and are usually applied on

    start up of the browser automatically .

  10. Mark Broadhurst
    Unhappy

    How will you get people which dont update to update?

    Sounds like a catch 22 to me?

    Lets also face the unpleasant prospect that even if browsers did expire and you have to update. people would complain that they are being forced on to the new version when they don't think its ready yet.

  11. Andy Barber
    Unhappy

    Corporate PC's

    Well my corporate laptop runs Win 98, so have IE6.

  12. Jess
    Paris Hilton

    The problem is when the updated versions require an OS change.

    I know a lot of people who are using Windows 98 (or even 95) or Panther. They are locked out from Firefox 3.

    I can understand why Microsoft or Apple lock them out from their latest Browsers, but why Mozilla? Surely Win 9x and older OS X users are a captive audience? (They support minority systems like Vista.)

    It is quite ironic that it seems more likely I will be able to run Firefox 3 on my RISC OS machine than my Mac or PC. (unless I use linux.)

  13. Rich Harding
    Flame

    We get what we deserve

    "instead of messing around with figuring out how to stop it from doing that people just turn the auto updaters off"

    I'm sure I'm not the only person who long ago had enough of this attitude. If people can't be arsed to work out even the simplest things for themselves (in this case for example how to get Windows to download updates but not install them until told), they can go fornicate. I am sick to the back teeth of everything having to be dumbed down for those who just cannot be bothered. It's a corollary to the whole Health and Safety culture where those of us with a clue or maybe just more of a sense of adventure are restrained due to the incompetents.

    It's no different to driving a vehicle - 30% of people on the roads shouldn't be there but because they are we all have to put up with insanity like traffic lights on roundabouts at 2AM. If you can't drive your computer responsibly, sod off somewhere you can't interfere with those who can.

  14. Paul
    Flame

    Fanboiz...

    "Firefox users "typically updated" within three days"

    Because they are frothing fanboiz poised for the latest update to crash the download servers?

  15. Gordon Pryra

    simply confuse less web-savvy users

    By that you mean people who don't read the dialogue boxs?

    Its about time that people actually looked after themselves and read what is on the screen.

    Just clicking "yes" should have the punishment of a public flogging

  16. Andrew Wood

    An update reminder in IE is all thats needed.

    Surley all that would be needed is a popup at IE startup that works independently of the often turned off automatic updates showing an update is available .

    So long as it a pain in the ass to turn off for 'normal' users then they will update just to gert rid of the nag screen. Group Policy/registry hack's should be able to turn to the nag of course for the technically savvy whu should know better.

  17. Anonymous Coward
    Anonymous Coward

    And the practical upshot of this is...

    Everyone will have to keep buying new computers as the newer browsers no longer run on the old ones.

    Sheesh! I am still running IE5 on Win95 (and know people using older installations, believe it or not). I have better things to do than spend £500 every three years or so to replace equipment that is perfectly adequate for the task (to say nothing of being forced to buy Vista these days).

  18. Kevin Bailey

    How about this for an idea?

    What you could have is a single, simple notification icon in the system tray which can tell you if ANY of the software on your PC needs updating. (It could also pop up a mesage).

    Then, when you click on the icon, a dialog should ask for an admin password as a safety measure. After all you shouldn't be using the PC day-to-day as an administrator!

    Then ALL updates for ALL installed programs are downloaded and applied. Generally, this should not require a restart.

    These updates should be free forever for the software you have installed and should never ask for license keys or EULA agreements.

    Oh, hang on. Sorry, bit late. This is exactly what my Ubuntu laptop from Dell does already! Silly me.

    I've even carried out two operating system upgrades (from 7.04 to 7.10 and then to 8.04) which have given me the latest software such as FF 3.0 etc. Took slightly longer than the time for ususal updates - but was just as easy.

    Add to that the thousands of free programs available by just clicking 'Add/Remove programs' selecting the programs from a list and then clicking 'Apply'! Again, new programs will get updates in the same way as the existing programs.

    Don't worry too much about all of the problems with Windows - a better solution is available and is becoming very popular. The sooner you make the switch - the sooner your problems will just 'blow away'.

  19. Anonymous Coward
    Stop

    Hmmm...

    how do the developers know what date to set the expiry to ? Do they rush the next version just to get it out before the current one goes out of date? Increases the likelihood of more bugs/security holes. Can't see this solution working.

  20. Simon Painter
    Thumb Up

    But it's mine...

    It's odd how the same people who whinge about wanting OSS everywhere because they want to 'own' everything are also the same people who tend to also the ones who whinge about how something should be done about the numpties who become part of botnets. Either you enforce something (like this) or you leave it up to people to keep their kit up to date and bug free.

    Personally I would prefer ISPs to cut off users who have malware running on their computers until they are clean again. ISPs won't do this unless they are forced to because it will annoy their customers and force them to handle extra helpdesk calls until the problem is resolved.

    I am currently looking at NAC/NAP solutions and would love to see all ISPs impliment solutions where malware infected users are quarantined in an area where they can access updates, patches and AV sigs until their machine is clean enough to let onto the internet again. Web and email traffic could be redirected to an autoresponder that advises them of the problem and gives them some hints on how to clean their machine. That way we get fewer bots on the net without impacting on the people who are smart enough to keep their machines clean.

  21. Simon Neill
    Stop

    Bleh....

    Yeah, I'm on a corporate environment with limited slots to do network wide upgrades....what do I do when the browser "expires" in the middle of a big project?

    Safety be damned, we have 3 firewalls and 2 different virus scanners to keep us safe.

  22. AC
    Thumb Down

    "confuse less web-savvy users"

    oh boo hoo, maybe they shouldn't be on the internet then.

  23. Barry Tabrah
    Thumb Down

    Bad idea

    We still run ECDL courses that require IE6 in order to run.

  24. Wayland Sothcott
    IT Angle

    Not a new proposal

    A similar thing was proposed by an American politition a couple of years ago. Manditory Windows security updates, you can't turn them off. Here is why such a thing is a bad idea.

    1. If someone hijacks the process they have manditory access to ALL computers.

    2. It gives Microsoft greater power.

    3. It's probably illegal to sell crippled software so you will probably need a licence to release any software in future.

    4. Windows 98 is hardly affected by viruses at all, since XP is the current target. Forcing everyone to run the same version reduces 'bio-diversity' making everyone valnerable to the same exploits. It also reduces the amount of testing required since it only has to work with the current version.

    To encourage browser compatibility you just need to put some checks on some vital websites, like google, show a browser out of date webpage. That way people will either upgrade or boycot your website.

    I have a suggestion. Write the software correctly in the first place. Oh but the whole IT industry is in a constant upgrade->bugfix->upgrade-bugfix cycle. If you did not roll out new bugs with the upgrade or new upgrades with the bugfix then the whole thing would stop, with evryone happy with their computers.

  25. Anonymous Coward
    Thumb Down

    Fanboys skew the stats

    I still get two and a half times as many FF2 requests in my logs than FF3.

    I don't believe over 83% of FF users have already upgraded to version 3.

  26. Eric Van Haesendonck
    Thumb Down

    Not really feasible

    This is not feasible for the simple reason that too many people relies on software that is not updated anymore.

    For exemple I still run Firefox 1.5 on one of my computers because the sunrise extension that I depend on to clip content to my Treo isn't (and will probably never be) compatible with newer releases of the browser.

  27. Sim
    Thumb Down

    fiefox3 is horrible

    firefox 3 is horrible -i uninstalled it after 5 minutes and reverted to firefox2

  28. Graham Marsden

    @people who don't read the dialogue boxs?

    Consider the following situation:

    1) I can touch type, ie I don't have to look at the screen when I'm typing.

    2) I'm in the middle of composing a reply on a web page input box when I look away to check a reference

    3) Whilst I'm looking away a dialogue box pops up on my screen saying "a new update is available, do you want to download it?"

    4) I start to touch type again and then look back in time to see the message triumphantly vanish because I've just hit Return and it had taken over focus from Firefox with "yes" selected as the default option.

    That happened to me just a few days ago.

    Update boxes should *NOT* seize focus and take over from what you're doing (although at least it's slightly better than just assuming you want the update anyway as $ome other companies do...!)

  29. Anonymous Coward
    Anonymous Coward

    What about rarely used computers?

    I have a computer at home which I haven't booted up in nearly a year. I get more than enough hassles from having to download updates on the occasion I do use it, without getting hassles for dowloading said updates without updating the update downloader. It can take its turn like everything else and I'll be the one to choose the order.

  30. Anonymous Coward
    Anonymous Coward

    Opera users have to upgrade

    Coz Opera 9.5 was so unstable.

    I've never had a browser crash so often.

    Fingers crossed that 9.5.1 won't be so bad.

  31. Anonymous Coward
    Coat

    @Dial-Up

    I still think a big risk of Dial-Up is the silent trojan Web-Dialer reprogramming of your Widnows data call number, changing from the local number to a super expensive -and actually quite fast - Ukrainian or Togolese service provider. I've seen it done, with a €2K bill in a month! Of course my Shiny fruit on dial-up is perfectly safe (yesterdays 10.5.4 safety update was just around 581 mega!!!!)

  32. Keith T
    Heart

    Excellent Idea! Stops those who want fast insecure software

    1. This is an excellent idea !

    Tim (first post) is an example of a user wanting to use an old less secure version of software because it is faster.

    Of course IE6 is faster ... it isn't doing making all the security checks that the more secure IE7 would do.

    There are people who don't apply security updates to their OS and others who turn off their AV to make their systems go faster.

    2. How about a big red screen warning popping up if you try to use your browser or download email when the AV is turned off, when the AV is not monitoring web traffic, or when the AV signatures are more than 24 hours old.

  33. KenBW2
    Linux

    Updating software

    Forced upgrades doesn't sound too good, even if I do want to personally stab and destroy IE6... This is from the same industry as is clinging to XP

    "Oh, hang on. Sorry, bit late. This is exactly what my Ubuntu laptop from Dell does already! Silly me."

    You beat me to it

  34. Anonymous Coward
    Anonymous Coward

    I have no use for FF3

    FF2 works just fine for me and I will decide as and when to upgrade, not anyone else!

  35. Kevin Kitts
    IT Angle

    From the non-automatic updater's point of view...

    my virus scanner has automatic updates, but I turned them off because when autoupdate decides to auto-update, it spawns a new (Windows XP) process with equal priority to whatever else I was doing (like playing a game of Crysis with all options turned to maximum). My computer ACK!'s and dies when this happens, so I turned the damned auto-update systems off permanently. When I feel like updating, I will.

    Windows XP has the ability to set the process priority level, but these damned shoddy programmers don't even bother to make use of it. Any constantly-running program should be running with the lowest priority in the background, so as to not interfere with the important stuff that I bought the computer for in the first place. But even then, the scanner I use gives me a 50% CPU spike from time to time, *even when it's not updating*. Why? I have no freaking clue. Maybe it's communicating with the mothership. Maybe it's communicating with home base to provide me with a hand-holding message that "you really should turn auto-update on so you can be as safe as we can make you". Maybe some hacker is using my anti-virus software to spoof my system and look around. Maybe the anti-virus company is looking around on my computer without telling me about it, just like the warrantless-wiretapping fiasco in the US. Maybe the government is peeking in my computer, too. But can my anti-virus software tell me which it is? Noooooooo. Why? Because either they aren't doing their job correctly, or they're breaking the law. I sent this question this week to my anti-virus software company's tech support: Why does my CPU get spiked by my anti-virus software when I'm not running it, and I have all automatic updates turned off? Answer: Silence. Nothing. Nada. Zilch. Zero. What they wish they could say: It's a *trade secret* how our product works - if everyone knew our source, they could exploit it. Therefore, we can't tell you why this is happening, because if we said anything, our asses would be showing, and we could get sued by everyone who uses our software.

    Well, hell, we're right back to square one again. Write good code or GTFO.

    Furthermore, Windows update tells me that IE7 is required to make my computer more secure. Well, if the computer doesn't do what I want it to do, in a reasonable timeframe, then the computer is worthless. I run a fairly tight OS, so IE7 didn't hurt me much (more in the clutzy interface than the actual run-time speed). However, if they decide to put a time-bomb in future browsers, I can always go to the public library to do my web-surfing - my computers run efficiently, or not at all. The library computers have virus scanners, too, so I won't need one of those at home either. And the time-bomb won't matter to people who are running current browsers, because they're not updating them anyway. You'd have to sneak-force an upgrade on them (Windows Genuine Advantage, anyone? Perhaps XP Service Pack 3?). Do you see what that means? It means that if they keep trying to *force* us to upgrade to crappy, non-backwards-compatible software, they will lose money. LOTS of money. After all, I forgot to mention Linux and Firefox - FREE. My rule is that the new software MUST be as good as the old software, or it doesn't get installed. No saving throw, no motion to reconsider - out the door it goes.

    My point is that being up to the latest and greatest (yeah, right) version is NOT going to give you absolute security. As was mentioned before, the price of total security means the program gets bigger and slower, forever until the end of time (unless the hardware keeps getting faster forever, and that's unrealistic). Maybe if the governments and industry focused on interdicting the motives of the criminals (like the profitability of bot-nets, for instance) rather than reacting to the criminal acts, maybe they could cut out the source of the crime, and this cycle could be broken. Until then, it's up to the software writers to put out fast, efficient, and secure products. Remember, you can never stamp out crime, you can only make it so difficult that most people won't attempt it.

    And on a personal note, I believe that any company that deliberately writes crappy code just to stay in business should be forcibly disbanded by the government as a national terrorist threat and a fraudulent organization (and their CEO/Board of Directors should be imprisoned as such).

    Of course, if the government is using the anti-virus companies to covertly hack into our computers without us knowing it, my personal note will never happen, and the industry is doomed anyway. It's George Carlin's definition of customer service all over again.

    And since this is a British website, they're probably tapping my transmissions anyway, so I just gave them a horrible idea, even if they weren't already using it. :(

    Oh well...

  36. anglo
    Pirate

    many reasons for not updating IE

    I only use IE in windows on a virtual machine to test the kind of mess it makes of my web-design. I have to test IE5, 6 & 7 as each version make it's own particular kind of mess. No doubt IE8 will introduce some new hellish experiences for web-designers.

    Being as the wretched programme is an intrinsic part of the operating system, I would never allow it to connect to the internet on a non-virtual machine. I would never let M$oft update it & mess my system about.

    My golden rule is never allow any M$ programme to connect to the internet. Use a non-M$ firewall & you can probably get away with using windows.

    After applying sp2 to my virtual XP in order to get IE7 & seeing just how horrible the whole process is for XP windows users I have no surprise at all that people don't bother to update.

  37. Charles Manning

    @Dial up

    Who cares about dial-up bots!

    They're too bandwidth constrained to contribute more than a few % of botting.

    Also, most people would soon twig that their PC is dialling and blocking their phone line and either turn it off or unplug the modem.

    Botting is almost entirely due to people that are connected to broadband (so they have high bandwidth and don't know their PC is busy yammering away on the internet) and too lazy to turn their computers off.

    An off computer can't bot. Period. This is a security model that the daftest person can understand.

    Very few people have a need to leave their PCs on the whole time (yes, there are P2P-ers but not many).

    Some say that turning computers off breaks them. I say bollocks. I very seldom leave a computer running over night (unless I'm doing long-run software testing). At the moment (winter) I'm powering them up at sub-freezing temperatures in the morning. In summer I often power them up at > 40C. Nothing is breaking. Been doing this for 20 years.

  38. Jeffrey Nonken
    Flame

    @Webster Phreaky

    Yes, lose all your work. Like when you're doing a 16-hour video conversion, or some other massive number-crunching that you let run overnight. I realize that since this isn't an issue for you, you have no sympathy for anybody for whom it is. But simply hitting "save" won't prevent that problem when the automatic upgrade very nicely reboots the computer when unattended.

    BTW you're not a superior life form. You just have delusions of adequacy. No reason to sneer at everybody who doesn't think like you.

  39. Raife Edwards
    Boffin

    This is actually been a long-planned part of "Trusted Computing"...

    Microsoft now calls it "End-point to End-point Security". It is part of Vista, and was retro-fitted to XP (via SP3). It is also, already, integrated into the switching-hardware used by most ISPs.

    Basically, this allows external entities (such as Microsoft, and your ISP) to determine what software/OSes/applications users are "allowed" to run... what components MUST be installed ("updates", "versions", DRM, etc)... what settings MUST be used... And, effectively, what is, thereby, DIS-ALLOWED.

    Needless to say, this is highly-opposed by most of the people who actually understand, what this really means. So... I guess, TIME-BOMBED software is simply another way to forcibly-impose this CORPORATE WET-DREAM on consumers.

    Oh yes... I want private companies to be able to tell me, exactly, what products (and applications) I am allowed to run, and when I HAVE to accept new products... externally-mandated changes to my equipment... and any new LIMITATIONS (that some corporate-interest decides are "important").

    Furthermore, I am sure they would NEVER abuse such power.

    Yeah, right...

  40. Tim
    Pirate

    @keith T - why dont we all do what you think is best

    I dont want a SLOW computer that is SAFER. I want a FAST computer that is still SAFE. IE7 is NOT safer than IE6, infact it hasnt had time for all the problems to be found yet. so feel free to sit in your bubble of safety and just wait until some 12 year olds botnet infects you......

  41. Ken Hagan Gold badge

    Why Microsoft don't ship other people's patches

    "Then ALL updates for ALL installed programs are downloaded and applied. Generally, this should not require a restart. [...] Oh, hang on. Sorry, bit late. This is exactly what my Ubuntu laptop from Dell does already! Silly me."

    All updates for ALL installed programs? Last time I looked, Ubuntu weren't distributing the latest VmWare patch.

    Microsoft *have* been asked if they'd be willing to host third-party apps on their Update site. They've refused. The main obstacle is liability. If end-users grab an update from the MS site and it hoses their system, MS get the blame. Now that does happen from time to time, but since it (currently) *is* their software (and a few certified drivers) being distributed, the blame is deserved. MS get enough grief from their own mistakes without taking the flak for everyone else's.

  42. Anonymous Coward
    Unhappy

    Numpty of an idea

    "The theory is that a built-in expiry date would ensure that more users update in a timely fashion. Ollmann concedes that opponents may argue that the concept would simply confuse less web-savvy users without having the desired effect."

    Expire the users browser because of no updates is a great sounding idea.

    Errr. hello.

    How does one the resolve the problem at that stage? Browser disabled, no way for the average Joe to install/download a new Browser to fix the old Browser.

  43. Anonymous Coward
    Anonymous Coward

    restarts...

    "If you're too lazy to click "Save" before leaving your PC then you get what you deserve!"

    Er, some of us have large jobs that run overnight. Finding your PC has rebooted midway through that is quite annoying...

  44. Anonymous Coward
    Linux

    IE6-IE7 is not a security patch

    Stop conflating security patches and version upgrades.

    Going from IE6 to IE7 is not comparable to security patching Firefox, its a version upgrade with new features and more comparable with the FF1-FF2 upgrade.

    Intra-version patching, which is what this article is actually about, is different. You'd need to compare actual FF patches with M$ updates. In corporate environments where a lot of IE users will be, such patches are applied if and only if required. In the 'wild' how can you tell if they've been applied - the agent string doesn't say.

    So this research seems a little bogus to be honest.

  45. Gordon Grant
    Boffin

    Oh boy

    Windows updater can be set to download but not install..

    AV updater, I can still play games with settings high enough to give me great graphics and game play and the av update loads in the background, still works.

    Hmm I'm still running FF2 as well, FF3 bombed out on me within 5 minutes.

    other browser is IE 6, there is an IE 7 blocker that will stop you getting the update and you should be able to rollback IE 7 (just look in Add/Remove programs - windows components and wait like 5 minutes, that used to be almost instant in Win 98).

  46. Mike

    How about this

    I'd rather a few specific major sites simply refuse to serve pages to out-of-date browsers. Try to search with Google, and instead of results it responds that your browser is out of date. Go to MSN.com and it informs you that you need to update. Of course, it won't happen unless someone provides them major incentive to refuse traffic.

  47. James Dunmore

    It's not FF2 vs FF3

    ...is it... It's FF2.X vs 2.X+1, or 3.x to 3.x+1 So quit the arguments about fanbois upgrading to the latest and greatest etc.

This topic is closed for new posts.

Other stories you might like