The lowdown on updates

T+D, Dec, 2003 by William Powell

If you've begun to wonder recently whether Microsoft and its related products are under attack, you're not alone. The steady issue of updates for vulnerabilities in Windows and Internet Explorer has chewed up several of my evenings as I waited patiently for my 56K modem to download the proper security patches and fixes.

As I write this, the latest is a critical security update for the Internet Explorer browser, ominously titled "Security Bulletin MS03-040 (828750)." Apparently IE--versions 5.01 through 6.0--has several vulnerabilities that would allow someone to run programs on your computer while you view a Webpage. It's not dependent on an operating system, as earlier vulnerabilities were. So, if you have IE installed on your computer, you need this fix.

There's just one catch: How would you know about that gaping hole in your computer's security if you're not one to read the various computer magazines, subscribe to some sort of email update, or receive an alert from your IT department? You wouldn't. And I'd wager that most casual computer users, though aware of viruses and their damaging effects, have no idea that the programs they use on a daily basis could have severe design flaws that would relinquish control of their computer to a hacker.

As more home users take advantage of always-on broadband Internet connections, either cable or DSL, they increase the chance that, if left unprotected, at some point they're going to have their computer exploited through a vulnerability in the operating system or an application. To Microsoft's credit, it has been quick to fix flaws in a product's security once it has been discovered, though some people would object to a product being released with such flaws in the first place. Nevertheless, it's a good time to increase your awareness of such vulnerabilities and start taking advantage of the online updates and security features offered.

Checking under the hood. The first thing you should be able to do is determine the exact software that you're running. An update will often depend on a specific operating system, such as Windows 98 or XP, or a specific version of an application--for example, Internet Explorer 5.5.

To find out which version of Windows you have, right-click on the My Computer icon on your desktop and then click on Properties. That will open the System Properties dialog box. Under the General tab, you'll see "System:" followed by the version of the computer's operating system.

For most applications, users can determine the product's version by clicking on Help (on the menu bar) and then on About. A window displaying the product's version will appear.

Download and update. Once you've determined the exact version of the software you're running, you're ready to update your system. Microsoft provides a dedicated site that will scan your computer for all available updates. At the site, just click on Scan for Updates. It will then provide you with a complete list of needed updates, critical and noncritical, as well as the more extensive service packs.

www.windowsupdate.com

Users should take a moment to pick and review the suggested updates. Critical updates and service packs are must-haves, but something like Windows MovieMaker 2 can wait.

Anyone who's using a dialup connection will want to download only those updates that are necessary. Some service packs can take an hour or two to download. Between updates for Windows, Internet Explorer, and Microsoft Office (Microsoft Office has its own update site), I had to set aside a few late nights to download what I needed. If you're fortunate to have a high-speed connection, you should be able to download and install all needed updates in an evening.

http://office.microsoft.com/ OfficeUpdate

Getting up to speed by installing the initial batch of updates is just the beginning. You'll want to run the scan once again, because some older updates must be installed first. You can then opt to be notified of future updates (Microsoft flashes a notice onscreen while users are online). Or, you can opt for regular email notification of security updates.

A word of caution: Hackers have been exploiting email notifications with an email that looks remarkably similar to an official Microsoft email from the email address support@ microsoft.com. In fact, it's the vehicle for spreading the Sobig-B worm. The email contains a program with the .PIF extension. Opening the file automatically infects your computer.

To be safe, if you do receive notification of an update from Microsoft, just go directly to the Windows Update Website rather than follow any links or opening any attachments.

It's automatic. In addition to receiving email notifications, Windows XP users have the option of an automatic update feature, which notifies users of available updates and then downloads them automatically, or with the user's approval. This is, by far, the easiest way to keep on top of updates.

Office users will want to double-check with their system administrator before setting up the automatic update feature. For home high-speed users, it's a worry-free configuration.