Microsoft released a cumulative update for Internet Explorer (IE) on March 28, and believe it or not, this 6-week-old version is now obsolete, replaced by yet another cumulative update dated May 15. The latest IE update cleans up six new vulnerabilities, most of which are quite cryptic and difficult to exploit, and disables frame functionality for all sites in IE’s Restricted Zones list. After you install the update, Microsoft Outlook will be unable to open a new HTML window or automatically start a download when you read HTML-based email from a site on the restricted list.

You can download the update at http://www.microsoft.com/windows/ie/downloads/critical/q321232/default.asp, and you’ll need to reboot to replace open files with the modified files in the download. After you install this package, Hfnetchk and the Microsoft Baseline Security Analyzer (MBSA) report that they can't verify that you've installed the March 28 cumulative update. Because the May 15 update is also cumulative, Microsoft can eliminate this unnecessary audit flag by replacing the March 28 security entry in the online mssecure.xml catalog with name and version data for the May 15 release.

The Critical Update Notification Client
Do you like Windows XP’s automatic update feature? If so, you can duplicate this live update functionality on Windows 2000 and Windows 98 systems by installing version 3.0 of the Critical Update Notification client at the Windows Update site at http://windowsupdate.microsoft.com. (Windows Update is also available on IE’s Tools menu). Click the Product Updates link on the Windows Update home page to initiate a system scan. On the results page, click the Critical Notification Client in the Recommended Updates section, and click the download button at the top of the page. Windows Update downloads and installs the notification client. The installer also adds this utility as the Microsoft Windows Critical Update Notification in the Add/Remove Programs list.

When you install the Critical Notification Client, you explicitly give Windows Update permission to perform a product scan on your system. When the scan determines an applicable update is available, the client pops up a window that says you need to update your system and gives you two options: install the update immediately or install it later. When you delay the install, the client will nag you to update your system at frequent intervals.

By default, the Critical Notification Client initiates a system scan every 5 minutes, 24 hours a day, 7 days a week. To perform the scan, your system must have an Internet connection so the Critical Notification Client can access the Windows Update catalog; the scanner terminates silently when no Internet connection is available. I think the default 5-minute interval is ridiculous and recommend that you modify the schedule so the client runs a daily or weekly scan instead. To modify the interval, open Control Panel, select Schedule Tasks, double-click the Windows Critical Update Notification task, click the Schedule tab, and select the daily or weekly option in the Schedule Task drop-down list. If you don’t have a permanent Internet connection, you might want to change the start time to a time when you’re usually online.

Windows Update uses a different method than Microsoft Baseline Security Analyzer (MBSA) and Hfnetchk to evaluate systems and report on missing updates. MBSA and Hfnetchk provide the most reliable results because they scan multiple products and are aware of updates that supersede previous updates. Until Microsoft modifies the Critical Update Notification client to use the same method, you might notice discrepancies in the recommendations. For example, Windows Update might report that a system is current when MBSA indicates that hotfixes are missing.