Well, if Halloween didn't spook you, there was plenty of IIS news to keep you on your toes. Fresh off the new vulnerability that rain.forest.puppy released, here comes a flood of new problems. Be sure to take note of three new vulnerabilities just in the past week, not to mention the big hit Microsoft itself took.

In my April 11 Commentary, I shared some of the exploit pages that I keep up with. Since that column appeared, new sites have emerged, and I figure it's time to update the list. I've also heard from subscribers to this UPDATE about sites they like. Here's an updated site list.

First, bookmark the official Microsoft Security Site. All the patches come from this site. I make a practice of keeping hotfixes and service packs up-to-date on a server share at my shop and routinely burn a CD-ROM with them. Sometimes, a network share just isn't accessible when you need it. Don't forget that you can expand hotfixes and service packs with the /x switch. (I usually expand the hotfixes before storing them, which lets me keep up with what's being installed and in what version.)

I also believe that it's prudent to see what other security sites are reporting. For the most part, Microsoft encourages vulnerability hunters to jointly release bulletins with patches to avoid announcing a vulnerability ahead of the patch. Such was the case last week when Georgi Guninski announced a new vulnerability with cross-site scripting and Microsoft Index Server. Guninski took issue with Microsoft's response time to a vulnerability; he informed Microsoft, then announced it anyway, which stirred a debate about the value of early disclosure.

Whatever your belief about early disclosure, I recommend that you bookmark a few of these sites. Some of the sites I visit regularly that are worthy of book marking include the following:

These are the more active sites that cover Microsoft and other vulnerabilities. Other sites come along, and I'm sure you have some favorites, too. Feel free to pass them my way, and I might mention them in a future column.

One last note: Some hacker Web sites can contain material that some folks deem inappropriate or offensive. Be sure to check your office policy for viewing such sites. None of the sites mentioned in this column contains such material.