Geekspeak: December 11, 2001

By Timothy Dyck  |  Posted 2000-12-11 Print this article Print

Windows update site falls behind the times.

Microsofts windows update web site, which is blessed with prime real estate right off the Start menu, claims to be the place to "download and install the latest updates for your computer." That statement could instill a false sense of security. Any manager intent on avoiding security breaches should get on the Microsoft Product Security Notification Service mailing list because it typically issues security alerts several weeks before the Windows Update site does.

I recently confirmed that the Windows Update site consistently lags behind the notification service, which is available at For example, an important security alert, MS00-086 ("Web Server File Request Parsing"), warned that remote users can run arbitrary operating system commands on an Internet Information Server server. The alert states, "Microsoft strongly urges all customers using IIS 5.0 to apply the patch immediately." The notification service announced the patch on Nov. 6, and, as of Dec. 1, the Windows Update site had made no reference to it. I updated the IIS 5.0 machines I manage by hand on Nov. 7.

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel