With new security updates from vendors like Adobe, Apple and Java coming out on a near-monthly basis, keeping your Web browser patched against the latest threats can be an arduous, worrisome chore. But a new browser plug-in from security firm Qualys makes it quick and painless to identify and patch outdated browser components.

The Qualys BrowserCheck plug-in works across multiple browsers — including Internet Explorer, Firefox, Chrome and Opera, on multiple operating systems. Install the plug-in, restart the browser, click the blue “Scan Now” button, and the results should let you know if there are any security or stability updates available for your installed plug-ins (a list of the plug-ins and add-ons that this program can check is available here). Clicking the blue “Fix It” button next to each action item listed fetches the appropriate installer from the vendor’s site and prompts you to download and install it. Re-scan as needed until the browser plug-ins are up to date.

Secunia has long had a very similar capability built into its free Personal Software Inspector program, but I realize not everyone wants to install a new program + Windows service to stay abreast of the latest patches (Secunia also offers a Web-based scan, but it requires Java, a plug-in that I have urged users to ditch if possible). The nice thing about Qualys’ plug-in approach is that it works not only on Windows, but also on Mac and Linux machines. On Windows 64-bit systems, only the 32-bit version of Internet Explorer is supported, and the plug-in thankfully nudges IE6 and IE7 users to upgrade to at least IE8.

Having the latest browser updates in one, easy-to-manage page is nice, but remember that the installers you download may by default come with additional programs bundled by the various plug-in makers. For example, when I updated Adobe’s Shockwave player on my test machine, the option to install  Registry Mechanic was pre-checked. The same thing happened when I went to update my Foxit Reader plug-in, which wanted to set Ask.com as my default search provider, set ask.com as my home page, and have the Foxit toolbar added.

This past week, I was reminded of a conversation I had with an ethical hacker I met at the annual Defcon security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant and reliable trick I’ve seen to crash the Internet Explorer 6 Web browser.

If you’re curious and have IE6 lying around, type or cut and paste the following into the address bar (that last character is a zero):

ms-its:%F0:

or just click this link with IE6.

Here’s a short video example of the crash that results from typing that text above into an IE6 window:

The “ms-its” bit is a reference to one of the helper extensions built into IE6. Alex Holden, the Wisconsin based researcher who showed me this crash, said the bug is the result of a pointer overflow in IE. The crash does not appear to work in newer versions of IE.

Holden said he notified Microsoft about his finding back in 2004. An e-mail thread Holden shared with krebsonsecurity.com indicates that Microsoft engineers believed there were no severe security consequences of this bug, and that it would probably be fixed in a future service pack. Obviously, it never was.

One way XP users might encounter this would be if the short code above or something like it were included in a link sent to a targeted user via instant message or e-mail. Indeed, one could imagine a computer worm that went around and changed the victim’s default home page to this short bit of code. The victim would be no longer be to get online….with IE6, anyway (although a registry hack could almost certainly fix the swapped home page).

There is one interesting possible use for this tiny snippet of crash-inducing code. Maybe someone you know and care about insists on using IE6 or refuses to upgrade to IE7 or IE8. Install Firefox or some other browser alternative, and then change their IE home page to “ms-its:%F0:” Chances are good they will never be able to open IE6 again.

I had just finished opening an account at the local bank late last week when I happened to catch a glimpse of the bank manager’s computer screen: He had about 20 Web browser windows open, and it was hard to ignore the fact that he was using Internet Explorer 6 to surf the Web.

For more than a second I paused, and considered asking for my deposit back.

“Whoa,” I said. “Are you really still using IE6?”

“Yeah,” the guy grinned sheepishly, shaking his head. “We’re supposed to get new computers soon, but I dunno, that’s been a long time coming.”

“Wow. That’s nuts,” I said. “You’ve heard about this latest attack on IE, right?”

I might as well have asked him about the airspeed velocity of an African Swallow. Dude just shook his head, and so did I.

Well, you can’t really blame the poor guy for not knowing. Just hours before, Microsoft Chief Executive Steve Ballmer looked a bit like a deer in headlights when, standing in front of the White House in a planned CNBC interview on how the Obama administration is looking to use technology to streamline its operations, he was suddenly asked about a report just released from McAfee effectively blaming a slew of recent cyber break-ins at Google, Adobe and more than 30 top other Silicon Valley firms on a previously unknown flaw in IE.

“Cyber attacks and occasional vulnerabilities are a way of life,” Ballmer said. “If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet.”

Microsoft has of course since acknowledged that a critical, unpatched security flaw indeed exists and is being exploited in targeted attacks. The software giant says it has only observed the now-public exploit code working against IE6, and that IE users should upgrade to the latest version IE8, which Microsoft says is much better insulated from the current batch of exploits.

Redmond typically releases software updates on the second Tuesday of each month (a.k.a. “Patch Tuesday), but the company said in this case customers may not have to wait until Feb. 9 for a patch for this security hole. Microsoft is eager to assure everyone that the attacks observed so far are only successful against IE6, and that in any event they have not been widespread.

Meanwhile, researchers continue to test that claim. Researcher Dino Dai Zovi Tweeted Monday that he had modified the existing exploit so that it worked on IE7, with the caveat that on Microsoft Vista systems it would only allow an attacker read access to the victim’s files (as opposed to full privileges to delete or modify system files).

In a sign that we may very soon start to see a number of hacked and malicious Web sites leveraging this flaw to install unwanted software, security firm Websense warned that it had spotted a Web site that was exploiting the IE vulnerability.

Microsoft’s assurances have not been enough for some. The governments of France and Germany have urged people to stop using Internet Explorer (Update, 1:16 p.m: The Australian government just issued a similar warning). For its part, the U.S. government is expected to issue a demarche to the Chinese government, looking for an explanation of the attacks against Google and others, which experts have described as a sophisticated and targeted attempts to steal trade industry secrets, as well as information about Chinese dissident groups.

At least one top Chinese computer security firm is urging consumers there not to wait for Microsoft’s patch, but to instead install an unofficial, stop gap fix (rough, Google translation). No doubt, if the wait drags on for an update from Microsoft, we will see the same offers from U.S. security firms and experts.

There are, of course, alternatives to IE. But then again, I’m preaching to the choir. Most of my readers already use another browser, according to the latest visitor stats for krebsonsecurity.com, compliments of Google Analytics. Here’s how my visitors break down:

Looks like krebsonsecurity.com does have some IE6 users (and at least one IE5! user). Nearly 14 percent of the visitors browsing this site with IE are using IE6:  Here’s the visitor breakdown by IE version:

If you do want to keep browsing with IE (or, work at an organization like my bank which apparently doesn’t have much choice in the matter), Microsoft has some tips here on ways to leverage additional protections both in Windows and in newer IE versions.