This is the second month in a row that Microsoft has released a critical security update outside their normal Patch Tuesday release window. This one is for the rampant exploitation of Internet Explorer.
Now both my readers know that I'm just going to say - once again - that friends don't let friends browse with Internet Explorer.
This raises some interesting questions about Microsoft's patch procedures, though.
Why doesn't Internet Explorer automatically update itself? Firefox does. The browser is the biggest source of risk for 80% of Microsoft's customers. This shouldn't be done via click-her-to-download, and it shouldn't be done by Windows Update. Users should get a message saying "I've just updated some critical security fixes, and want to restart Internet Explorer. That OK?"
They don't do this. Why not?
Is the Internet Explorer browser a core component of the Operating System? Back in the late 1990s, Microsoft told the Justice Department that the browser wasn't just an application, no matter what Netscape said. It couldn't be removed from the OS, they said. Judge Thomas Penfield Jackson removed it, via the normal Add/Remove Software, in 90 seconds.
If it is, then Windows is probably unsecurable. If it's not, why doesn't the browser auto-update?
Something very strange is afoot.
Meanwhile, those of you still on Internet Explorer, it's easy and painless to change, and it's the single best thing you can do to improve your security.
UPDATE 16 December 2008 19:40: It's two out of cycle patches in three months, not two in two months.