> Subject: Microsoft Security Bulletin (MS00-009) > Patch Available for "Image Source Redirect" Vulnerability > Originally Posted: February 16, 2000 Given the large number of JavaScript-related security issues regarding the various versions of IE (4.0, 4.01, 4.01 SP1, 4.01 SP2, 5.0, 5.01), I'm surprised that no one has mentioned the fact that Microsoft has made it nearly impossible to secure IE. Why? Because fixes aren't quickly wrapped back into the distribution, nor is there a fast path to getting all the appropriate fixes installed. Download and install the latest release of IE (5.01). Are you safe? No. You first need several crucial scripting patches. After all, JavaScript defaults to "on" and IE defaults to scripting bugs. But, which patches? Click on "Tools->Windows Update"? That doesn't show the latest updates. Somehow know to go to the IE security page at http://www.microsoft.com/windows/ie/security/default.asp? Except, that doesn't make it clear _which_ patches you need. You have to individually go to each link; some will tell you if they apply, others will just let you download the patch. Given the ongoing nature of scripting problems, Microsoft should consider issuing a single, all inclusive, security patch. Each time a new fix comes available, update it. John
