Known in the past for taking a soft touch when it comes to forcing users to update their browsers, Microsoft's pulling off the kid gloves and going for a bullet to the head.
Come January, the company will start forcing people to update from older versions of Internet Explorer. If you have Automatic Updates enabled in Windows Update, Microsoft says that the update will occur in a seamless, Chrome-like experience.
The company already provides security updates to Internet Explorer through Windows Update, but this means that legacy browser users will see a full-point jump. Windows XP users on Internet Explorer 6 and Internet Explorer 7 will be upgraded to version 8, and Windows Vista users will be pushed up the stairs to Internet Explorer 9. IE9 doesn't work on Windows XP.
"As we've talked to our customers about our approach [to upgrading,] everyone benefits from an up-to-date browser," said Ryan Gavin, Senior Director of Internet Explorer for Microsoft. "But from a security perspective alone this is important. Ninety percent of infections that were attributable to a security vendor had a patch out for more than a year," he added.
Security problems are a tough stair to climb for legacy browsers. The latest Microsoft Security Intelligence Report is just the latest in a long line of papers indicating that socially engineered malware is the biggest kind of threat facing computer users today, and that the malware often goes after security holes in browsers. These findings are based on data collected from more than 600 million computer systems in more than 100 countries. It's neither easy nor cheap to keep a team of dedicated security researchers and coders on a legacy browser.
"The security mitigations for newer versions of IE have proven to deliver consistent security improvements. Starting with IE8 and continuing with IE9, every new version of Microsoft's browsers has delivered a more secure browsing experience. We'll all be happier and more secure when we don't have to depend on users to install the most recent patches," said Andrew Storms, director of Information Technology at nCircle Network Security.
At first, the forced update will be rolled out only to Windows users in Brazil and Australia. Those countries were chosen, Gavin said, because people there use a broad spread of IE6, IE7, and IE8. "We're going for a slow ramp-up," not unlike how Microsoft rolled out Internet Explorer 9. Private individuals and businesses alike have been unanimously supportive, he noted, but added that Windows Update will allow people to roll back the upgrade.
Microsoft is keen to avoid the upgrade brouhaha that Mozilla created for itself earlier this year. "Business, particularly large ones, test patches before they are released to their employees and this process doesn't bypass that," Rob Enderle, a technology analyst with the Enderle Group, said in an e-mail to CNET. "The issue appears to be that most people just don't seem to be aware they need to manually update their browser (Microsoft doesn't market the updates heavily) or simply assumes it is updated automatically. All browsers age badly and need to be regularly updated to remain adequately secure against threats."
The change in update policy will affect some aspects of how Internet Explorer has updated in the past, but not all. The update will continue to respect a person's default browser choice and default search engine, and users who have disabled Windows Update won't see an IE version bump. On the one hand, this is very polite of Microsoft, but it's also a tacit acknowledgment that there's little the company can do about people running cracked copies of its operating systems unless Windows Update is running.
Microsoft maintains a site, IE6Countdown.com, to track the worldwide decrease in Internet Explorer 6 use across all operating systems. Right now, less than 1 percent of northern Europe uses IE6, but more than 23.6 percent of China does, and worldwide percentage stands at around 8.3 percent.
Interestingly, Microsoft could tumble and find itself burdened with the same legacy problem in a few years. Not only does Internet Explorer 9 not work on Windows XP, but the company has no plans to make Internet Explorer 10 compatible with Windows Vista. IE10 will launch on Windows 8. So it's entirely possible that in late 2012, you'll have Windows XP users on IE8, Vista and some Windows 7 users on IE9, and the rest of the Windows 7 users and Windows 8 users on IE10. While that's not directly analogous to the fiery, flaming security hellmouth that IE6 and, to a lesser degree, IE7, have become in recent years, it's an eventuality that restricted backwards compatibility makes hard to avoid.
Enderle said that this is a problem endemic to companies that build the browser as part of the operating system. "IE is one of the features of the OS so when Microsoft sunsets the OS, they sunset support for all of the features. XP has reached end of life. The other guys don't have to support the entire OS, and it gives them an advantage to go where Microsoft won't. On the other hand, Microsoft can better tune their bowser for the new platform so that offsets. In a way it helps keep alternative browsers viable. Apple pretty much behaves the same way with Safari."
Still, Gavin makes a solid point about updates that's hard to argue with. "If you're running a 10-year-old browser, it's not good for the web and it's not good for the consumer. Getting more and more users onto a modern HTML5 browser is good for everyone."