The browser is the most popular used application to access the Internet. Microsoft Internet Explorer has the highest market share with over 60 %, making it on the average desktop the best attack target for malicious content. Therefore IE vulnerabilities should be given the highest priority and patched promptly. Yet, when we look at our data, this is not what happens. Our cumulative anonymously gathered data shows that overall users treat browser patches just like all other patches. IE’s patch deployment cycle correlates very closely with that of other patches, critical or non-critical, even though exploits for browser vulnerabilities start appearing within days of their public release (see MS09-002).
We believe that IE patches are well understood and tested so extensively by Microsoft that they should be deployed promptly. An extensive in house testing period is probably not warranted for most companies as the impact on business critical applications is limited. To improve the patch deployment speed for IE an interesting approach would be to remove IE from the monthly patching cycle all together and integrate automatic patching capabilities directly into the browser. Microsoft should rethink the patching cycle for IE and enable fast patching for IE similar to other browser vendors, such as Google’s Chrome and Mozilla’s FireFox, which require little or no interaction from the user. IE8 could be a great opportunity to investigate such a capability.