The information published in this post is now out-of-date.
—IEBlog Editor, 12 September 2012
There’s a new security update for IE available. You can find the security bulletin here
and the Knowledge Base article here
Candidly, I’d like to write in depth about the vulnerability, different approaches we thought of in defending against it and the compatibility issues (site and application) that each approach entailed, and how we chose the one that we released.
The main reason I can’t is that folks who want to find security holes and hurt Windows customers look at every single communication that comes out from Microsoft for anything that will help their effort. I don’t want to give it to them. No, I’m not happy about this. Yes, this frustrates me too. The longer I work with the Microsoft Security Response Center, and the more I see of both responsible and irresponsible disclosure of security issues, the more I respect their judgment on this one.
I am trying to figure out if there is something (instead of nothing) that we can say publicly about the changes. I hope to have an answer next week. If nothing else, I’m glad we were able to release this today given the interest with press, customers, and developers that this vulnerability generated.
In the meantime, I’ll answer a question that bothered me for a long time. Is the numbering scheme for these releases totally random?
Despite appearances to the contrary, no. Security update numbering starts with the two digit year of the release (yes, I look forward to the posts about our Y2100 issues) and then are sequential. The first security update each year from Microsoft is 001, then 002, etc. When you look at just IE’s (the way I do), the numbers are all over the map. We actually don’t know the number while we’re working on the release because we can’t make assumptions about when we’ll release versus other security work that’s going on.