.:Computer Defense:.

While building a fully patched Windows XP VM the other day, I decided to also install IE7, however for the sake of "snapshotting", I performed a full update (via Windows Updates) but unchecked IE7. After I rebooted and took a snapshot, I went back to install IE7. Windows Updates downloads the file and kicks off the installer, but then you're left with the IE7 standalone installer. I start clicking through the various options and get to a screen: "Would you like to download the latest updates for Internet Explorer 7?" I want this VM fully patched, so I check the box and the next screens I see say "Downloading Updates" and "Installing Updates". The install finishes (IE Version: 7.0.5730.13) and I figure I'm good to go, however I always do one last running of Windows Update to check the "Optional" updates to see if there's anything I need. I run Windows Update and, low and behold, I have a new critical update waiting for me... it's the patch for MS07-050. Apparently download and install updates, doesn't mean all updates to Microsoft, just the ones they want to give you. This leaves me slightly concerned; if, as a regular user, I go and use Windows Updates to obtain IE7, I could be vulnerable until I decide to visit the page again. So let's say I'm anti-Automatic Updates, but I still browse to Windows Update once a month, that's a potential 30 day window where the system is vulnerable. If I only check every couple of months, that window increases. Bottom line, if a piece of software tells you that it is checking for updates... it should obtain all updates, not a subset of them.