It might come as a surprise to you that most Internet attacks don’t occur when online lowlifes discover a hole in Windows’ security. As it turns out, they’re not quite that smart.

Instead, what usually happens is that Microsoft discovers the soft spot. (Actually, some super-brainiac researcher usually finds the hole, and then notifies Microsoft.) Microsoft then puts together a security patch, which it releases to its millions of customers to protect them.

Figure 10-5. If you turn on Windows XP’s auto-update- installation feature—and Microsoft is practically frantic that you do so—you can ask to be notified either before the software patch is downloaded (third choice) or after it’s been downloaded and is ready to install (second choice). You can also permit the updates to be updated and then installed automatically, on a schedule that you specify (top choice).

The hackers and virus writers learn about the security hole by studying the patch. They leap on the information and create some piece of evilware in a matter of days—yes, after Microsoft has already written software that closes the hole.

So how can PCs get infected after Microsoft has already created a patch? Because it takes weeks or months for Microsoft’s patch to get distributed to all those millions of customers. The hackers simply beat Microsoft to your PC’s front door.

The painful part is that Windows XP already ...