ESPECIALLY FOR THOSE WITHOUT WINXP-SP2:

Microsoft has just issued an "Out of Sequence Critical Update" for virtually ALL WINDOWS USERS. This is only the second time that they have deemed a patch "Critical Enough" to interrupt the normal monthly cycle of AutoUpdates, since the "scheduled release" procedure was instituted 2 years ago.

The ONLY Windows versions that do not need this patch are WinXP-SP2 and Windows Server 2003. The vulnerability affected does not exist in these two. They rewrote a lot of code for WinXP-SP2, so maybe it got removed by accident(?). For the "hopelessly obsolete" there are some older versions of IE not affected, but it's not likely many people will have them(?).

If you are using AutoUpdate, you may already have received this patch. It was on my Win2K machine by about 03:00 today. If there is any question, I'd suggest checking with the update site to be sure you get it.

Details - probably more than you want to know - are at Microsoft Security Bulletin MS04-040: Cumulative Security Update for Internet Explorer (889293) (Technet Bulletin). This is the "TechNet" version, and there probably is a more "user friendly" blurb somewhere for "non-techs," but it does include links to get the patch appropriate to your system, and tells you if you are one of the few who shouldn't install it.

The "good news" is that, despite recent notices of non-support for older Windows versions, there are updates specific to Win98, Win98SE, WinME, Win2000, and WinXP-SP1. The bad news is that since Microsoft has stated that these systems would be patched only when an "extremely critical" vulnerability was found, the release of these patches underscores how serious they believe this patch is.

Note that this is shown as an IE patch, but if you run Windows you should patch this vulnerability even if you don't use IE for browsing. The vulnerability can be accessed and used even if the virus gets on your machine by some other route.

What happened? According to earlier reports, the vulnerability was found in August. Details "went public" in November. Although there were a very few "exploits" of the vulnerability when it became known, it was not considered "critical" until someone hacked into two "Banner Ad" servers about two weeks ago and replaced a few ads with virus infected "substitutes." The people who run the affected Banner Ad sites initially reported "very few users affected," but the indication now is that the virus infected messages/ads were quite widely distributed, making everyone vulnerable.

For those who haven't thought about it before, most of the "banner" and "sidebar" ads you see on web sites are not stored on the server from whom you get the page. The advertising is often stored separately on "Ad Server" sites, and is linked into the page that the site you visit displays. In many cases the site you visit doesn't even get to decide which ads are displayed, and many Ad Servers rotate them, according to a schedule or randomly.

While your AV may intercept the virus, if it's up to date, the common use of spoofing and disguise and the number of virus methods in circulation for disabling AV make it advisable that the vulnerability itself be removed by installing the patch where appropriate.

John