Out-Of-Band Hotfix Released For Internet Explorer

In an effort to enable organizations to have a predictable and timely schedule around patches, Microsoft implements a process whereby patches to software are released on the second Tuesday of each month. Out-of-band hotfixes are rare and are released to help resolve critical issues identified in the field. While we don’t normally post hotfix release notifications on this blog, I still wanted to let you all know about this one as it relates to Internet Explorer.

What is the purpose of this alert?

This alert is to provide you with an overview of the new security bulletin being released (out-of-band) on December 17, 2008. Microsoft has released security bulletin MS08-078, Security Update for Internet Explorer (960714), to address a vulnerability in all currently supported versions of Internet Explorer. This security update was released outside of the usual monthly security bulletin release cycle in an effort to protect customers.

Executive Summary

This security update resolves a publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 961051.


Microsoft recommends customers prepare their systems and networks to apply this security update immediately, to help ensure that their computers are protected from attempted criminal attacks. Please visit http://www.microsoft.com/protect to apply the security update.

New Security Bulletin Technical Details

Identifier MS08-078
Severity Rating This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 SP1, and Internet Explorer 7.
Impact of Vulnerability Remote Code Execution
Detection Microsoft Baseline Security Analyzer can detect whether your computer system requires this update.
Affected Software Internet Explorer 5.01 (Windows 2000), Internet Explorer 6 (Windows 2000), Internet Explorer 6 SP1 (Windows XP and Windows Server 2003), and Internet Explorer 7 (Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008). For information about Internet Explorer 8 (Beta) please see the FAQ section of the bulletin.
Restart Requirement The update will require a restart only if the required files are being used. If this occurs, a message appears that advises you to restart.
Removal Information

  • For Windows 2000, Windows XP, Windows Server 2003: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility

  • For Windows Vista and Windows Server 2008: WUSA.exe does not support uninstall of updates. To uninstall an update installed by WUSA, click Control Panel, and then click Security. Under Windows Update, click View installed updates and select from the list of updates.
Bulletins Replaced by This Update None.
Full Details: http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx

Public Bulletin Webcast

Microsoft will host two Webcasts to address customer questions on this Out-of-Band bulletin:

Title: Information About Microsoft December Out-of-Band Security Bulletin
Date: Wednesday, December 17, 2008 1:00 P.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448&Culture=en-US

Title: Information About Microsoft December Out-of-Band Security Bulletin #2
Date: Thursday, December 18, 2008 11:00 A.M. Pacific Time (U.S. & Canada)
URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449&Culture=en-US

Skip to main content