When Google released the first version of its Chrome web browser, many eyebrows were raised over the fact that it updated itself automatically and silently, in the background, without user intervention or even so much as a notice. As it turns out, this has been a brilliant move by Google, as Chrome users are the most likely to have up-to-date installations of their browser, followed at a respectable distance by Firefox users. Safari and Opera trail behind significantly.
The news comes from a report engineered by the Swiss Federal Institute of Technology’s Stefan Frei and Google’s Thomas Duebendorfer, in which they accumulated version strings off Google servers all over the world. They then looked at how many people upgraded to a new version within 21 days of its release. The numbers are shocking – security fetishists may want to avert their eyes.
Overall, they found that 45.2% (!) were not using the latest version of their web browser when visiting Google’s servers. As we all know, browsers are increasingly being used as an attack vector, so not running the latest version of your browser is just asking for trouble.
Diving deeper into the figures, they found that Chrome is the king when it comes to deploying updates: within 21 days of the release of Chrome 1.0.154.48, 97% of Chrome users hitting Google’s servers had the update installed. Firefox came in second, with 85% of Firefox users hitting Google’s servers having updated to Firefox 3.0.8 within 21 days. Safari users lagged behind considerably, as 53% of Safari users had updated to Safari 3.1.1 within 21 days (Safari 3.2.0 and 3.2.1, which raised the minimum OS version requirements, did even worse: no more than 33%). Opera, which forces its users to install updates as if they were fresh installations, did the worst: only 24% of Opera users installed Opera 9.63 within 21 days of release.
As you can see, the silent update feature in Chrome works the best, followed by Firefox’ one-click updates. Safari comes in third with its reliance on Software Update; let’s not even get started about Opera. In case you’re wondering, Internet Explorer is left out of the picture because its version string does not differentiate between minor versions.
When it comes to web browsers, silent updating simply is the way to go to get users to upgrade to the latest, more secure version of their web browser. Some have reservations about auto-updating tools, mostly thanks to hideously bloated updaters from Sun and Adobe. However, Google’s background updating service takes only 816k of memory on my systems, and since it all happens silently, you’re never bothered by pop-ups or other workflow-interrupting elements. Note that Google’s updating service is available as open source under the Apache license, so you can check whether or not it does anything fishy.
I guess both Safari and Opera (and probably IE too) can really learn quite a few things from both Chrome and Firefox when it comes to updates. Especially Opera might want to take a look at its updating scheme, and implement at least some sort of updating mechanism that’s slightly less 1995, instead of worrying about Microsoft and IE tying.
I would always choose to be notified of an update and given the chance to decline. I have been bitten many times by software updates (including security updates) that caused instability and conflicts with other packages. UI changes and feature loss have also happened during updates so bypassing the users ability to say no is never a good idea. At least if I am told an update has been done I know where to start looking for solutions to problems.
The best way of managing updates is to show a dialog box notification at startup with a choice and a delay before it can be cleared, then allow the software to update itself. Having to download a new version by visiting a web site is a pain that is unnecessary in 2009.
If the option of silent updates is available, at least give us a choice. Silent updates for the less experienced, and a choice for those who understand the risks.
I would instead prefer auto-updates like Chrome with the ability to change the setting for users who wants to.
Cause we all know that average Joe will go with defaults, and they need updates the most. So to protect ME from spam and botnets, I want all the Joes out there to have updated software. And we will only get that if we just skip asking about it.
I, too, would prefer if Google Update provided settings for frequency and notifications. Vote for relevant bugs here:
http://code.google.com/p/omaha/issues/list
(edit: fixed the link)
Edited 2009-05-07 09:44 UTC
This is the best solution for most people.
You simply can’t trust the average user to update their installated apps, have silent updates as the default with the option to turn them off somewhere deep in the preferences menus. Don’t give average users the chance to reject an update, otherwise they might end up constantly ignoring it if they consider it to be annoying.
Yeah.. because there’s be no outcry if Microsoft did that on Windows….
Even though i personally find it intrusive that software updates itself (even if you turn it off, acrobat anyone?) i find it a nessessity in this day and age that browsers keep themselves uptodate. I will find a way to turn it off, but the average joe won’t know or care. So the fact that her/his browser keeps itself uptodate security wise, is a good thing for all of us!
I personally would love for FireFox to stop asking about those stupid updates and just do it automatically. I have my Linux also set up to automatically download and install any updates once a day. I don’t need to know about every single update nor do I wish to.
Yeah, I hate that Ubuntu and Firefox can’t update themselves quietly. I always have to click stuff and it interrupts my workflow. I don’t even read the list of updates in Ubuntu anymore, it’s never anything interesting anyway.
The problem gets worse when you get new updates 5 days a week. I have been really close to ignoring the icon and that’s bad.
Ubuntu had a great philosophy on their new notification system (the computer should not tell the user what to do, the user should tell the computer what to do). Why not apply that on updates as well?
Interestingly if as you state you are not interested in new features you can in Ubuntu, and wait for Ubuntu to Upgrade.
System(Menu)–>Software Sources(Menu Item)–>Updates(Tab)–>Automatic Updates(Title)–>Check for Updates(Checkbox:Daily)–>Install security updates without confirmation(Radio Button)
BTW I leave the example above as to why stuff if clearer to do though the command line.
Yes, but that’s only the security updates. I still get that annoying icon when there’s the usual bugfixes. I *only* want to do a manual upgrade when it’s time to upgrade to a new release of Ubuntu.
Minor upgrades (bugfixes and security fixes) should be done automatically and without my knowledge.
There’s a nice utility that system administrators have been using for years to automate just such tasks: cron.
Also applicable to ubuntu, is cron-apt.
http://www.builderau.com.au/program/linux/soa/Automatically-update-…
I have to say that I don’t update the software on my computer. If the application takes care of updates in the background, great, otherwise…The old version stays. I know it’s bad, but I don’t make time.
If you don’t have the time, then why are you on OSAlert?
As I said, I don’t make time
You always make time for what you want and you never make time for what you dislike…
I got a fairly average internet connection and sometimes I wonder why my downloads are going so slow. Then later comes firefox prompt telling me it has ‘just’ downloaded updates and I need to restart it and all.
I end up thinking why the hell? Last time it happened I stopped the automatic updates. I will update you when I got time and bandwidth now don’t be a spoiled kid firefox!
This is one reason why i will not install Chrome.
I believe Opera 10 includes an auto update feature, this will be a great improvement on the very long winded way they go about it now. Mind you if you use Linux as any sane person should it does auto update. It’s just the non existence of a similar feature in Windows, but then with the speed of windows updates I’d be sitting here half the day waiting for all my apps to update.
Safari doesn’t even have a feature to be able to check if you are on the latest version, or a link to their website in the menus.
Minor versions should always update in my opinion as there should be very little feature change in a minor version. Users should not be able to ‘take the risk’ of being out of date.
Not completely sure about the Windows version, but Safari updates come in via the OS update function which checks “weekly” by default. This can be changed to daily, monthly or checked off.
Users can, of course, check manually any time their hearts desire from the Apple menu.
As far as Windows goes, I’m pretty sure Apple installs an application that keeps track of the updates for Safari, Quicktime and iTunes. Can’t remember what’s it’s called, but I bet it works just like “Software Update” does on a Mac.
So in other words… go to one place to check for updates for all of Apple’s products vs each individual product.
Edit: Perhaps you could make a feature request to be able to launch the software check from each application on Windows to trigger the centralized updater. You can submit feedback from the “report bugs to Apple” menu item.
Edited 2009-05-07 17:41 UTC
I have been managing our mixed Windows/Unix network for the past year and a half and frankly, the amount of windows clients that are not updated when they are supposed to is shocking.
To alleviate this situation, I installed WSUS and wrote a login script to change people’s update server to WSUS. WSUS reported that 92% of machines where up to date.
I sent out several emails over several weeks urging people to update their systems, with screen shots showing them how to do it. After two months of this, the percentage dropped to (only) 73%.
Yesterday, I had enough and implemented a GPO that forced updates on people’s machines, then let them have 15 minutes to reboot. One guy, our sales director, had not updated his laptop since he was issued it three years ago and had to reboot the system over and over again. As I wasn’t there, he sent a guy into my office, got a colleague to log him in and changed the GPO back to the way it was before. I found out about it this morning and after telling my boss, the shit has hit the fan!
I have prepared a statement to the CEO in which I explain the dangers of not keeping an up to date network (just think conflicker!). The thing is, the sales director’s laptop is currently our largest vector of attack as he uses it at home for all kinds of crap.
I could scream with frustration!
One guy, our sales director, had not updated his laptop since he was issued it three years ago and had to reboot the system over and over again. As I wasn’t there, he sent a guy into my office, got a colleague to log him in and changed the GPO back to the way it was before. I found out about it this morning and after telling my boss, the shit has hit the fan!
Wow That’s like… err, duh? Doesn’t he understand why the updates are there in the first place?
Exactly! This guy is putting himself and his comfort before the whole company!
Thing is, he doesn’t realize that the firewalls we have running here in the office don’t protect him at home and with the sensitive information he has stored on his laptop, the flying spaghetti monster only knows what people would do with it if he ever did “join” a botnet.
But what is definitely the worst part of it is that we are a company of IT consultants, both ICT and development! If not even we can keep our network properly patched, what hope is there for anybody else?
Ah, the joys of IT. In my previous job, I did a lot of computer (re)training for people who had suffered brain injuries or had learning disabilities – and oddly enough, those folks were usually quicker on the uptake than most salespeople or MBAs I’ve worked with.
From my experience, while most people understand that tools, automobiles, and appliances often need regular maintenance… when it comes to their computers, they expect it all to happen by magic and for them to know nothing and be required to know nothing. It wouldn’t surprise me at all, therefore, to have encountered this situation and for the person in question to have absolutely no idea why the updates are there in the first place or why it would concern them. I’ve known people who brought their computers to me saying they don’t want to install updates and asking for me to turn them off… because, for some reason, they were under the assumption that each security update required them to pay money for it. They seriously thought that each update shown by Windows update would require payment and that they were new versions of the os. Nedless to say I corrected those mistaken assumptions and would not show them how to turn updates off and applied them right there in front of their eyes so they could see how it was done.
So, there’s your answer. Yes, people are that naive when it comes to keeping their computers maintained, and there’s your answer as to why there’s so many botnets and so much identity theft… The core cause isn’t Windows as some believe, it’s foolish people, and for this there is no cure.
ESPECIALLY on a laptop that is being used outside the firewall.
I would love to see a group policy that doesn’t allow computers to join the domain unless they are up to date. I’m sure that would fix this problem fairly quickly.
Pretty good idea. You should be able to set a few rules around this to say “Software x should be at version y if you want to do z or even get on the network”.
While I always think users should be in control of what gets installed on their computers, in this case it is quite clearly a system administrator in charge of that who should be enforcing this and the technology should help him/her. As for vendors arbitrarily updating software, I don’t agree with that at all. Certainly in an organisational setting it’s impossible to keep track of what is being run.
!!!!
i was in a similar situation, but, it was a member of our design department (who works very hard on .net win2003, and crap like that) who came to my service to put shit in the fan because on his computer, ie7 was now on (yes, he still used ie6!!! ie8 was already out at that time)
i was too scary!!!
Give him a VM with IE6 on it. If he is web designer he needs to test his apps in IE6.
yes, that why i forced him to upgrade to ie7, i knew that the design departement had several bunch of vm for a while (i didn’t make them, they make them by theirself), so no excuse for not having their working machine in a secure state while their test machine remain unsafe for test purposes….
Poor bastard
I always hated tiny programs running in the background checking for updates. I’ve seen windows systems with more than 10 of those things.
Only when the program is started or running it should be allowed to check for updates. When updates are available I prefer possible user interaction.
A notification the way firefox does is nice and that linked to a timer. A yes button to download and install immediatly, a no button when you choose not to update and if you don’t act within x seconds it starts to download and install the update. For major versions also a more info button or a link to the website could be nice.
That whole “even though you opened me to browse the web, you are going to have to wait while I download an install another 8 meg version of myself” thing is one of the many reasons I hate firefox.
total bs, when was last time firefox autoupdate for end users asks for 8MB download?
and you think chrome is any different in “while you open browser to surf, Im gonna download patch”?
do you realize the irony in your argument?
On windows anyways, it downloads the latest installer. And the difference is that if I am opening the web browser, it is because I want to browse the web. I don’t care about the bandwidth, I care about not being able to do what I want to do when I want to do it for no real reason.
Firefox on Ubuntu doesn’t run the Mozilla update, so you have to get all the pieces and of course, they’re listed separately. So instead of an update smaller than 1 MB, you end up with several megabytes.
When I downloaded 3.0.10 on Windows, Firefox didn’t like the partial update, so it downloaded the full update instead of trying another partial and then, the full update.
Still, it’s better than Safari on Mac OS X because I have to download the full update, plus restart the operating system.
Don’t even get me started on the apple updater. I would rather have firefox then have something install buggy drivers without asking me, that conflict with whole classes of hardware just because I am updating my browser.
I found your comment somewhat bizzare. Its often easy to forget that some people are still on dialup and 8MB is a lot. That said I would suggest letting your Hardcore Microsoft Mentality go simply becuase Microsoft products have insanely large updates.
I remember a couple of years ago, and a lot has changed for the worse since then, considering Mobile broadband. There was a deal where you got the first 1GB cheap. When discussing it with one of my work friends, he demonstrated Updates required for the Microsoft platform…and they soon racked up “printer drivers” using hundreds of MB, Abobe using more etc etc. I was shocked.
I do understand some of your arguments regarding Microsoft products now. The Microsoft Platform if left unattended gets seriously out of date. If you leave a machine for months you have hours of work to get it to the latest and greatest…Including Microsft Update that requires many restarts.
Where did he say anything about Microsoft?
Lineage and track record.
I would suggest letting your Hardcore Anti-Microsoft Mentality go, I wasn’t talking about microsoft in any way, shape, or form, I was talking about their largest and most successful competitor.
It doesn’t have to do with the bandwidth, it has to do with having to wait to use my browser. Its the difference with it happening transparently, and making you wait a minute and a half and click through a bunch of dialogs (if you are on broadband).
LOL I have never been anti anything, hell I’ve love Vista, and the netbook users using a 9 year old OS. I’m loving even more the start of the reports of Windows 7 being *Marginally faster* than Vista.
But in a serious response to your post. Do you smoke crack. To install and use any Microsoft OS you have to agree to give up serious rights to a major legal document, have to type in a 24code verification, and will have to make a phone call. You have to agree constantly to a whole host of click through dialogs…just to run a program, a much critisied feature. Thats ignoring all the firewall/Virus etc update checks to keep Windows clean or all the Adobe/Flash etc updates….and well all the OEM updates from Dell/HP all the other Applications from drivers to games. Seriously if Firefox annoys you its the Microsoft Way. Linux by comparison has a one click stop to update *EVERYTHING* and includes controls to how manual or automatic you want it.
You are funny
I am completely uninterested in discussing anything to do with microsoft with you. If you want to stay on topic, thats cool, but you have yet to comment on anything that I, the article, or anyone else here are talking about.
Well said. Give ’em hell!
/OT
^aEURoeIE8 will not automatically install – the user has control over whether to upgrade to IE8. When offered IE8, three choices are offered: Ask later, install, or don^aEURTMt install”
Understand something this is about IE8 and precious little else, and you know it. Take the above statement and argue one way or the other. Pretending this is not about Microsoft is just plain silly.
Huh? We’re talking about Chrome and Firefox here… where did IE8 and/or Microsoft come into the equation? Either you’ve misunderstood the article and all the comments so far, you’re rabidly anti-microsoft even when they’re not being talked about… or you’re smoking something very potent, in which case I could use some of it today.
I have absolutely no real clue what this thread is about, but I gather that you’re bitching about the fact that Firefox downloads an update in the background without disturbing you and when you fire up Firefox again you have to wait thirty seconds for the update to take effect?
How do you think service packs work? How do you think hotfixes work? How do you think updates to most software work? You’re bitching about one browser?
I set update on windows to go automatically in the background, and I find it kind of irritating when it interrupts my workflow with requests to reboot, or keeps me from doing what I want to do and presenting me with a progress bar.
Chrome doesn’t bug me with pointless wizards, useless dialogs, or wait times on updates. It behaves exactly as it should, by default install new updates as they are available, with a way to turn it off and trigger it manually if you are in an exceptional situation.
You don’t have to wait for Firefox to download the update(s), it does that in the background, while you are surfing the web. You only have to wait while it installs the update. Which rarely takes more than 60s (usually < 30s).
This is the best solution !
I decline everytime firefox wants to be upgraded because I need to restard the browser. Noooooo !!!
I always have no less than 30 tab opened, and i don’t want to lose them or to reload them.
Making auto update from google and I hope for firefox will be the best solution.
(but autoupdate from Microsoft is risky…)
Firefox will re-open your tabs after a restart. There is no reason except ignorance not to update.
So with my internet connexion I should wait for him to reopen tabs ??? Many tabs ?
I wish windows would do the same. Firefox just wastes my time while I wait for it to update and redownload the page I had open. Windows wastes my time and totally disrupts my workflow.
It is such rude behaviour how windows does not put your applications back to where the the were when it started updating. If applying updates resulted in all my applications being reopened with everything just how I left it, I would not procrastinate applying updates as much.
Try running Firefox as a limited user and forgetting to turn off auto-update. If you tell it to go ahead and apply the update, it just fails. Worse, every time you start Firefox it will try and fail to apply the update, and it will never go away until you dig into your Application Data folder to delete it. Serious PITA.
You can hide the update window after clicking download update. The next time you start Firefox it updates. Now where did this interrupt your ‘work’flow?
Some people like to keep Firefox open for months just to avoid reloading their tabs, mostly because they have a royall ass-ton of them opened at the same time. Ever heard of “Firefox taking 2gb of RAM”?
I’ve heard this many times, specially from people constantly whining that FF leaks memory (having 50 youtube tabs open at the same time has nothing to do with the huge memory consumption, of course) and I still don’t get it.
But that’s just my two cents, of course.
Are you talking Firefox or Flash. Firefox 2 had regressions and new features…firefox 3 is a no brainer to upgrade to and I suspect 3.5 will the same. Memory consumption is less than other browsers now, and a embedded version is coming.
Flash on the other hand is painful and the only major binary blob on my system. I update religiously to each version of gnash in hope that its a real replacement…but as yet it disappoints. Its simply closer.
That said this mentioning memory thing in anything other than move to firefox 3 or stick with firefox 1.5 is just silly.
I used the memory topic as an example of how sometimes people make a huge problem of something that can be solved just by restarting the browser from time to time.
Edit: Just to clarify, FF 2 had some severe memory management issues, but it was possible to aleviate them with a little care.
Edited 2009-05-07 18:36 UTC
Good article, thanks Thom. Will make a good discussion point on the podcast.
Edited 2009-05-07 11:50 UTC
While I agree with the posters here that auto-updating has its merits, I do think it should be possible with every auto-update script to tell it to notify rather than download/install everything automatically. I don’t mind firefox doing all this automatically because I don’t use it as my daily browser, but if suddenly, windows says “You need to restart” and starts bothering me every so often about it while I’m working or writing, that’s just annoying.
So windows update is set to download but not install, and I go through the updates once a week to install everything I deem important enough.
Also, I’m a fan of Opera’s system. It has the update check, so i know there’s a new version, and it then allows me to download the upgrade install file seperately, save it somewhere if I want to, and I can then upgrade my opera installation whenever I want.
I’m the kind of guy who, after Opera tells me there’s a new version, will download it and install it before continuing, though.
Chrome doesn’t do that. It’s completely silent. Nothing happens. No dialogs. No notifications. No restarts. Nothing.
Lets be honest this is more about defending Microsoft auto-updating than anything Goggle of Mozilla is trying to do. This is tiresome
Microsoft Abuse their auto-update mechanism. They do not trust it for it adding WGA updates that actually break many systems, which is more than a little annoying when you have genuine versions.
…but even without that there have been many examples of software that offers regressions, breaks compatibility especially when software is revolutionary rather than evolutionary has everyone forgotten the regressions that were simply too much in firefox 2 as opposed to 1.5 even though it some really cool features.
Linux beats Microsoft simply because its all evolutionary, and its update mechanism is simply make Microsoft look like a last century OS. Hell I get exited pushing the update button. Google is in the same boat with chrome right now.
Basically a Revolutionary product requires more trust and Microsoft doesn’t have that. Chrome is an evolutionary product and requires less trust which it has.
…and thats my worst post for some time
Chrome/Google does many things behind the scene..Collecting clicks, installing auto google updater on C:\ …non-removable tracking cookie, All for improving THEIR customer service?? bull**
I am amazed open source champions allow this to happen…
TRY QTWEB BROWSER. It is exactly same as chrome minus surfing naked….
You could try use this to protect your privacy on Chrome:
http://www.abelssoft.net/unchrome.php
-Ad
Firefox goes out of its way to give people the choice about practically everything whereas Chrome goes out of its way to remove as much choice as possible.
Now I get that most people should give up the right to manage security updates but I still think they should have a choice to give it up.
816k of memory and a few cpu cycles are very little for a good updater. It is very likely that if you have 30 programs installed they could all have a 1MB updater all running in the background. Other programs only run the updater when the program is run.
The best of both worlds would be to give people the choice to install updates silently and only run the updater when the program is run. Or have 1 updater like Linux.
Appupdater can keep all your apps up to date on Windows.
http://www.nabber.org/projects/appupdater/
Just giving it a go. It didn’t get one of its own repositories which is a little annoying. The trouble with these solutions is that its another layer of installers. i.e. when I booted up I had “Windows Genuine Advantage Notifications” and “Windows Flash Installer” both pop up to start” thats with auto-updates switched on.
Okeydoke it identified 8 of 45 non-microsoft programs 5 that were out of date. Thats not really a good sign, and does not compare favorably with Ubuntu which is now moving towards a stable version of the packages/OS/Drivers/Codecs from one application…Its a different world.
I recently switched from Firefox to Chrome. And I must say, I don’t regret even one bit (rare case for me when switching softwares). It has some cool functionalities like Anonymous Browsing, menuless interface, each tab on a separate process. If one tab goes down and crash, the others remain intact – and the browser does not crash or close with all tabs.
I switched, and encourage you to do so. Chrome is a clever browser, and it’s getting better and better. Webkit is superior than Gecko.
Anyone remember Netscape 6? Firefox was the very code from it. It was slow and crawling. I believe it is still that way, it just got faster because computers got faster. Ok, I will give Firefox some credit: they’re the pioneers for leading a war with IE. Opera also has been presenting the world the coolest features.
But I think Chrome was smarter and grabbed the best of each browser out there.
/me expecting Chromium as the next Ubuntu thing, getting to be the main system browser. (Yes, bye Firefox).
Ignoring some of the more anti-firefox points. I think that a chrome has some excellent features…and I personally would love the bastard child of a firefox/chrome coupling.
im surprised a tech savy guy doesn’t understand netscape 6 was 9 years ago.
remember KHTML? chrome is the same code base from that.
I guess You don’t believe Darwin at all.
Netscape 6 was laid on Gecko, which is pretty what it was these days. KHTML was much faster than Gecko 9 years ago. It is still faster.
Firefox is a nice browser, but yes, it got somewhat annoying and bloated. And the “Mo” developers took 10 years to develop what Opera came up with in less than 5 years ago (tabs). Firefox is still the older toy, but Chrome managed to come up with yet un-thought features such as anonymous browsing.
Firefox was designed to keep the open-source spirit alive. Chrome was designed to people who want the most out of the web.
Code reuse reduces development time, understand Bloat etc etc.
Opera did not come up with tabs
Chrome does have lovely features, but not ad-blocking
Firefox was designed to browse the web
Seriously chrome is great browser, but lets not make stuff up.
with as easy and worry free as the google updates have been, i think it should be standard. don’t give the user a choice. honestly.. when you do and you start getting a bunch of infected machines then you end up with giant botnets.
Chrome for Linux and Mac is the Duke Nukem Forever of the tech world. It will never come to pass. Yeah they can post screenshots, they can talk big but until I see an actual binary Im not getting my hopes up. So we will probably be waiting another few years with talk from Google, “Its coming”