Security Watch: Stay on top of Internet Explorer security issues

On MovieTome: See the TRAILER for TERMINATOR 4!

Security Watch : Don't get burned by viruses and hackers.

Stay on top of Internet Explorer security issues


	E-mail to a friend
	Send us feedback

By Robert Vamosi

Senior associate editor, CNET Reviews
May 7, 2003

Did you know that a new Internet Explorer security update became available on April 23? It's true. As always, it's very important to your computer's safety that you install it since several recent worms take advantage of IE flaws. But unless you know where to look, you may not have heard about this update or be able to get it. And that's a problem.

I don't think software makers should automatically push updates to your computer; you should be able to find out what a patch will do to your system before you install it. But Microsoft could do a much better and more responsible job of notifying the public when new security updates are available and could make it easier to find detailed information about these flaws.

Another way to keep worms from harming your system: Use antivirus software such as McAfee VirusScan.

Case in point: If, as I did, you go looking for information about the IE patch on the Windows Update site, you'll be disappointed. The site briefly scanned my test system and reported that no IE updates have been installed on it since last September.

Unfortunately, the Windows Update site failed to mention the new update. I was, however, reminded to download updates from between September 2002 and February 2003--which sounded pretty out-of-date.

For the moment, though, let's assume that you did hear about the new Internet Explorer patch, either from a tech news site (such as ZDNet News), a friend, or your company's IT department. I hope that whoever told you about the update gave you a link to the actual security bulletin (the one from April 23 was called MS03-015) because there's no easy way to find the bulletin on the Microsoft Web site. Your two best options are subscribing to Microsoft's security bulletin notifications or regularly visiting the Microsoft TechNet page.

Unfortunately, the Windows Update site failed to mention the new update.

Once you arrive at the bulletin, you get only the basics. It informs you that the cumulative patch fixes four newly discovered flaws. You also learn that anyone using Internet Explorer 5.01, 5.5, or 6.0 should download the patch and that Microsoft has given this bulletin its highest rating of "critical." Near the bottom of the bulletin is a link to the proper patch for your version of Internet Explorer.

If you want to know more about the flaws or get info about what the patch might or might not do to your computer system, you'll have to click the links called "Technical details," "Frequently asked questions," and "Additional information about this patch."

Along with fixing these four new vulnerabilities, the update also patches other known flaws, including one found in the Internet Explorer 6 Service Pack 1.0 and one in the kill bit (a setting that prevents an ActiveX Control from running in Internet Explorer).

Though it was informative, the bulletin also left me scratching my head. Take, for example, the following disclaimer: "This cumulative patch will cause window.showHelp( ) to cease to function if you have not applied the HTML Help update." Hmm...had I installed the Help update or not? I had no idea. To find out more about this issue, I had to read Knowledge Base Article 811630.

If you really want to know what's going on with this patch, you should just skip the security bulletin altogether and read the associated Knowledge Base article. This article offers detailed instructions for installing the update, including whether you'll be required to reboot your computer--information you won't find in the bulletin.

My advice for those of you concerned about the security of Microsoft software is to sign up for the Microsoft Security Bulletin notifications, which arrive via e-mail every Wednesday. Yes, I know that you'll have to sign up for Passport to get them. I wish it weren't so. But it's the best option available.

If you want more in-depth information about which flaws are being patched or what the patches might do to your system, skip down to the end of the bulletin where it links the related Knowledge Base article.

Do you think Microsoft does an acceptable job of informing you about security updates? Why or why not? TalkBack to me!

4/30/03
Our best shot yet at stopping identity theft
A new California law could help fight identity theft and online fraud across the country--and possibly around the world. Here's why the time is ripe for this type of legislation.

4/23/03
What hackers can teach you about security
He's probably the most infamous hacker of all time--which is why we should listen when Kevin Mitnick says that traditional network security tools aren't enough to keep our information safe.

4/16/03
How to stop your PC from spying on you
Viruses may be on the decline this year, but other threats, such as Trojan horses and spyware, are on the rise. Here's how these pests work--and how to protect your system from harm.

More commentary

		Buzz Report Molly Wood Taking a bite out of hype.
		Security Watch Robert Vamosi Don't get burned by viruses and hackers.
		Fully Equipped David Carnoy The electronics you lust for.
		On Call Kent German Solutions for your wireless woes.
		Driving It Wayne Cunningham What's hot and what's not in car tech.

About CNET Networks | Jobs | Advertise

BNETCBS College SportsCBS RadioCBS.comCBSNews.comCBSSports.comCHOWCNETCNET ChannelGameSpotInternationalLast.fmMaxPrepsMoblogicMP3.commySimonNCAASearch.comTechRepublicThe InsiderTV.comUrbanBaby.comuWireWallstripZDNet