I think it's irresponsible of Microsoft to make finding out about and installing software patches so hard. When you consider the huge number of people using Internet Explorer and other Microsoft apps, the amount of damage that could be caused to both individual systems and corporate servers is great.
I don't think software makers should automatically push updates to your computer--you should be able to find out what a patch will do to your system before you install it. But Microsoft could do a much better job of notifying the public when new security updates are available and make it easier to find detailed information about these flaws.
Case in point: If, as I did, you go looking for information about the IE patch on the Windows Update site, you'll be disappointed. The site briefly scanned my test system, and reported that no IE updates have been installed on it since last September.
But the Update site failed to mention the latest security update. I was, however, reminded to download updates from between September 2002 and February 2003--which sounded pretty out-of-date.
For the moment, though, let's assume you did hear about the new Internet Explorer patch, either from a tech news site (such as ZDNet), a friend, or your company's IT department. I hope that whoever tells you about the update can give you a link to the actual security bulletin (the one from April 23 was called MS03-015), because there's no easy way to find the bulletin on the Microsoft Web site. Your two best option are subscribing to Microsoft's Security Bulletin notifications (which requires you to sign up for Passport) or regularly visiting the Microsoft TechNet page.
Once you arrive at the bulletin, you only get the basics. It informs you that the cumulative patch fixes four newly discovered flaws. You also learn that anyone using Internet Explorer 5.01, 5.5, and 6.0 should download the patch, and that Microsoft has given this bulletin its highest rating of "critical." Near the bottom of the bulletin is a link to the proper patch for your version of Internet Explorer.
If you want to know more about the flaws, or get info about what the patch might or might not do to your computer system, you'll have to click on the links called "Technical details," "Frequently asked questions," and "Additional information about this patch."
Along with fixing these four new vulnerabilities, the update also patches other known flaws, including one found in the Internet Explorer 6.0 service pack 1.0, and one in the kill bit (a setting that prevents an ActiveX control from running in Internet Explorer). The latter vulnerability is discussed in greater detail in Microsoft's Knowledge Base Article 240797.
Though informative, the bulletin also left me scratching my head a couple of times. Take, for example, the following disclaimer: "this cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update." Hmmm...Had I installed the Help update or not? I had no idea. To find out more about this issue, I had to need to read Knowledge Base Article 811630.
What really bugs me, though, is that the Microsoft bulletin tries to dismiss the overall seriousness of the flaws, despite giving them a "critical" rating. The bulletin says a malicious user would have to host a Web site that contained a page created just to exploit these flaws. Microsoft makes this sound unlikely, but it's not. The Nimda worm took over Web servers and created pages on several sites that exploited a flaw in Internet Explorer, so there is precedence for such action.
The problem is, if you really want to know what's going on with this patch, you should just skip the security bulletin altogether and read the associated Knowledge Base Article. This article offers detailed instructions for installing the update, including whether or not you'll be required to reboot your computer--information you won't find in the bulletin.
After going through all this hassle, my advice for those of you concerned about the security of Microsoft software is to sign up for the Microsoft Security Bulletin notifications. Yes, I know, you'll have to sign up for Passport to get them. I wish it weren't so. But it's the best option available. Your alternative would be to watch tech news sites closely. The security bulletins, which arrive via e-mail every Wednesday, will alert you when updates are available for the applications you use.
But if you want more in-depth information about which flaws are being patched, or what the patch might do to your system, skip down to the end of the bulletin where it links the related Knowledge Base article. It's in that article that you'll find the details you really need. Why Microsoft makes it so hard to find them is beyond me.
Do you think Microsoft does an OK job of informing you about security update? Why or why not? TalkBack below or e-mail edit@zdnet.com.au.
The info in this article is incorrect. are incorrect. You don’t need Passport to hear about new microsoft security bulletins.
"After going through all this hassle, my advice for those of you concerned about the security of Microsoft software is to sign up for the Microsoft Security Bulletin notifications. Yes, I know, you'll have to sign up for Passport to get them. I wish it weren't so. But it's the best option available. Your alternative would be to watch tech news sites closely. The security bulletins, which arrive via e-mail every Wednesday, will alert you when updates are available for the applications you use."
In fact, you do not need Passport if you sign up for the Security Update mailer . to do so, go to http://www.microsoft.com/security/security_bulletins/decision.asp. Check your facts next time.