Internet Explorer security

Many security flaws continue to be found in all IE versions which put your computer at risk from virus attack and data theft. It's essential that you download the latest security updates on Microsoft's Web site — don't rely solely on anti-virus software.

In addition to IE, security flaws also apply to the Outlook Express (OE) e-mail program, which shares code with IE, and to Windows itself.

With the release in January 2007 of Windows Vista and in August 2004 of Windows XP Service Pack 2 (SP2), the situation for IE/OE users is now different depending on your version of Windows.

Quick guide

All users: make sure you have a working firewall.

Windows Vista users: install all future security patches. Upgrade to IE8. Consider switching to an alternative browser and e-mail program.

Windows XP users: install Service Pack 2/3 and upgrade to IE8 or switch to an alternative browser and e-mail program. Install all future security patches.

Other Windows users: switch to an alternative browser and e-mail program. At the very least, install all security patches where offered. Alternatively, upgrade to Vista.

See also my general advice on browsers and versions.

Windows Vista users

You can use Windows Update.

Vista is supplied with Internet Explorer version 7. Together, they represent a significant security improvement over earlier versions of Windows and IE. However, new flaws have been discovered in both components and patches continue to be issued. If you wish to continue to use IE you should upgrade to IE8.

Windows Update can be run in four different modes. Windows Update misses no opportunity to urge users to put it into Automatic Update mode. Automatic Update means that you are giving Microsoft full permission to install any software it chooses on your PC without further refererence to you, now and in the future. It means you have no visibility or control over what downloads are being downloaded and installed; how many; how big they are; what they do; or when they are downloaded.

For reasonably experienced users who can simply remember to check Windows Update monthly, we recommend taking the manual option so that you can see what's going on, on your own PC (it's your PC, not Microsoft's). Microsoft issues security updates in batches, on the second Tuesday of each month (known in the industry, unflatteringly, as Patch Tuesday).

If you think you may not remember to do this, then go for Automatic Update.

Windows XP users

You can continue to use Windows Update. If you wish to continue to use IE you should upgrade to IE8.

Although it's called a Service Pack for Windows XP, almost all of SP2's fixes are actually for Internet Explorer and Outlook Express. The main exception is the improved Windows firewall, which is now switched on by default. SP2 doesn't just fix security bugs in the code but addresses some fundamental design flaws. SP2 represents a significant security improvement. However, new flaws have since been discovered and patches continue to be issued.

SP2 is a very big download (80 megabytes) and so will take 7-8 hours to download for dial-up users. However, it is restartable so that, if you disconnect and later dial up again, it should automatically carry on downloading where it left off. For dial-up users (i.e. those not on broadband) it's clearly easier to install from CD. Computer shops have them and should give you one for free.

Service Pack 3 (SP3) was released in 2008. In terms of security, it is less critical than SP2. However, you can install it over an original installation of XP, in which case all the updates in SP2 will also be applied.

When downloading SP2 or SP3, allow for the fact that, once downloaded, the actual installation may take an hour or so.

Users of other Windows versions

These include Windows 98, ME and 95. I strongly recommend not using IE but switching to Opera or Firefox.

Many of the security design flaws fixed in Windows XP SP2 also apply to IE and OE on earlier Windows versions. However, Microsoft has confirmed that the SP2 fixes will not be made available for them. That means that even the latest versions of IE and OE (version 6) will now be less secure than IE6 and OE6 on Windows XP. My advice is to switch to an alternative browser and e-mail program. If you wish to continue to use IE (which I don't recommend) you should upgrade to IE6 SP1 (if your PC is powerful enough to run it) and then install the most recent cumulative update plus future security patches where they are offered.

Also affecting Internet use are security flaws in Windows. Fixes are usually issued in monthly batches: see Microsoft Security Bulletins.