Microsofts windows update web site, which is blessed with prime real estate right off the Start menu, claims to be the place to “download and install the latest updates for your computer.” That statement could instill a false sense of security. Any manager intent on avoiding security breaches should get on the Microsoft Product Security Notification Service mailing list because it typically issues security alerts several weeks before the Windows Update site does.
I recently confirmed that the Windows Update site consistently lags behind the notification service, which is available at www.microsoft.com/technet/security/notify.asp. For example, an important security alert, MS00-086 (“Web Server File Request Parsing”), warned that remote users can run arbitrary operating system commands on an Internet Information Server server. The alert states, “Microsoft strongly urges all customers using IIS 5.0 to apply the patch immediately.” The notification service announced the patch on Nov. 6, and, as of Dec. 1, the Windows Update site had made no reference to it. I updated the IIS 5.0 machines I manage by hand on Nov. 7.