A fresh IE security update

The information published in this post is now out-of-date.

—IEBlog Editor, 20 August 2012

Earlier this week we released the latest security update for IE, MS04-038. We’ve been working on this since XPSP2 shipped, and it’s nice to see it made available to customers on Windows Update. This update addresses, among other issues, the drag & drop vulnerability that’s been in the news & security circles lately. This is also the first IE update to use the our latest installation technology, so corporations who deploy Microsoft products and updates will have a more uniform experience doing so.

Phil, some of the other IE team members, and I participated in a web chat yesterday morning to discuss this release with our corporate and end-user customers – it was great to hear their feedback, concerns, and questions. Looks like the slides were just posted for people to take a look at in case you missed the chat.

Surf safely!

Comments (27)

  1. Anonymous says:

    Before downloading this patch, make sure your SP2 upgrade didn’t fail. Otherwise you may run into this problem:


  2. Anonymous says:

    I’ve embedded a webbrowser control and used it for viewing special folders like ‘Control Panel’, now most of the item in this folder

    are deactivated by the IE Team (not clickable anymore and context menu is disabled) !

    How can I enable these Items again ???

    Is this related to IE feature control ?

  3. Anonymous says:

    Surf safely. Use Firefox!

  4. Anonymous says:

    Why the download stats did disappear?

  5. Anonymous says:

    From http://www.usatoday.com/printedition/money/20041013/gatesqa13.art.htm

    "Q: Speaking of security, Internet Explorer has had well-publicized holes …

    Gates: Understand those are cases where you are downloading third-party software."


    "Q: There is talk of a Google browser. Internet Explorer has had its security woes. How do you keep users?

    Gates: More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

    According to your boss, Internet Explorer is perfectly secure as it is, and it’s all *our* faults for the security holes in it. Do you agree with him? Is it our fault? Are things going to stay the same with Internet Explorer’s security?

  6. Anonymous says:

    You know they are most likely prohibited from answering that, yes?

  7. Anonymous says:

    Yeah 🙂

    It’s just that it’s such a blatant, in-your-face insult to everyone who’s been affected by Internet Explorer’s insecurity that "no comment" really doesn’t cut it, and I wanted to make a point about the interests controlling this weblog.

  8. Anonymous says:

    I wonder whether the "more has been invested" refers less to money, but more MS’s strategic future.

    Putting my own spin in it:

    More has been invested in making IE secure on the Windows desktop than any browser on the planet by a long shot. Nothing is going to change.

  9. Anonymous says:

    Hi !

    Is there any place to report IE’s bugs ?

    Some bug tracking system with search engin ?

    I got a nice bug, and I don’t know if it has already been discover. I have to know before going deeper in this problem and try to see if it leads to a security issue.



  10. Anonymous says:

    "More has been invested in making IE secure than any browser on the planet by a long shot. Nothing is going to change."

    Yeah, that’s a good one mr Gates. You may well have spent loads of money on IE security (although the average techie wouldn’t have guessed) but it sure hasn’t made a great difference. (Until maybe a month ago, for those who use your latest (bloated imo) OS.)

  11. Anonymous says:

    Some f you people need to grow up!

    IE is excellent web browser otherwise it would still be trying to beat Netscape Navigator.

    And as long as you have hackers and crackers out there no software from any company will be safe.

    I remember when Linux users use to claim that there were not viruses for Linux… can you still make that claim?

    Also, most of you are always complaining about Microsoft’s patches, well MS is not the only one.

    The Open Source including Linux post patches to fix vulnerabilities on their software on a weekly basis!

    I ran Linux for a while but when I saw that it had more patch releases than Windows I gave up with it!

    Also, for those out there still making the claim that Linux is small, well, it’s not!

    If you want to get a decent installation of Linux with a GUI you need just as much memory as Windows does.

    Chew on that for a while!

  12. Anonymous says:

    Hum, you have to grow too… no matter wich is the best, the beautifillest browser ever, no matter if linux is smaller than windows or if patch releases are monthly or daily. The important thing is that it doas what users need to do.

    And I donnt agree with "IE is excellent web browser otherwise it would still be trying to beat Netscape Navigator."

    IE is still there because it’s the default navigator shipped with any new computer.

    And yes there are many hackers so you will always have to patch.

  13. Anonymous says:


    Tell me, is it better to fix security holes, or to pretend they don’t exist.

    And how do you know that all of the updates you downloaded for Linux were security updates? Did it not occur to you that they might just be normal program updates?

    About the post:

    "We’ve been working on this since XPSP2 shipped"

    This statement interested me, as I remember seeing someone from the IE team say (on this blog) just after XPSP2 shipped that there were no security holes currently known. Obviously this was a lie.

  14. Anonymous says:


    Why bring up Linux? This is a weblog about Internet Explorer, not about operating systems. Your (misleading) comments about Linux are of no importance here.

    If you think Internet Explorer is an excellent web browser, then read past comments posted here and address the numerous major problems people have had with it, instead of trying to divert attention to a Linux flamewar.

  15. Anonymous says:

    IE used to be an excellent browser and that’s why it beat Netscape Navigator. Once that victory was achieved however, development on IE stagnated. Subsequently other browsers have overtaken it. Thankfully, development on IE seems to have restarted so it may yet regain its crown.

    The design of linux makes it inherently difficult, though not impossible, to write viruses that attack it. This is a good thing.

    Patches are also a good thing. But having to download a massive patch for the entire OS just to secure one application is plain silly.

    A rapid turnaround between the problem being discovered and it being patched is also a good thing. Sadly, Microsoft has not always been up to snuff on this front.

    Don’t confuse linux itself with the welter of software packages that come in a typical distribution of linux. If you are comparing patch releases for a linux distribution and a windows distribution, then you are not remotely comparing like with like.

  16. Anonymous says:

    Ok, I agree with part of what you’ve all said since I posted my rant and I agree that it was unfair and inappropriate to talk about any OS in an IE browser web log.

    Having said that, I have personally tried Mozilla 1.x, Mozilla FireFox and Opera and none of these browsers have ever performed as well as IE.

    The most recent being FireFox it has problems with some website and does not handle some of the styles well.

    Maybe I have just grown accustom to IE but I’ve yet to get hit with any of these vulnerabilities (or bugs). Of course I use an anti-virus and the Google Toolbar to block pop-ups.

  17. Anonymous says:

    I won’t open the slides package. It’s an EXE file, and because it’s not signed, I’m not going to open it. Sorry guys 🙂

    Somebody needs to fix this.

  18. Anonymous says:

    IE: the swiss cheese of browsers!

    Firefox has had a few security updates of its own but they still occur less frequently than in IE and are fixed in a timely manner.

    Also the Firefox team tend to be able to improve the browser and fix security holes. The IE team just seem to be fixing security holes and seem to have no time to advance the browser and don’t cite SP2, it doesn’t help non XP users – it was years in development and still hasn’t went anywhere near the features the other browsers have.

  19. Anonymous says:


    "none of these browsers have ever performed as well as IE"

    That’s a hugely general sentence that says nothing about your actual difficulties with the browsers. Perhaps be more specific if you expect to be taken seriously.

    "problems with some website and does not handle some of the styles well"

    Generally, websites that dont display "properly" in Gecko are *broken*. Meaning that the code has been written incorrectly, and so that browsers which render the code correctly will display it in a different way than was desired. Why does the code get written incorrectly? I wonder if the web devs were using IE to make their sites…

    Also, Firefox handles styles better than IE. It supports style switching doesn’t it?

  20. Anonymous says:

    Nima –

    Check out a previous post for the avenues of support for IE – http://blogs.msdn.com/ie/archive/2004/08/25/220501.aspx.

    If you have a security issue, please submit it the Microsoft Security Response Center – https://s.microsoft.com/technet/security/bulletin/alertus.aspx.



  21. Anonymous says:

    Congratulations, some of the security holes were known for 3 months. How faaaaast.

  22. Anonymous says:

    Congratulations! Now MicrosoftIE has only 16 opened security holes, including 4 highly critical holes, and the oldest hole not patched for 19 months! Great!


  23. Anonymous says:

    I’m sick of the high maintenance of Microsoft.

    I use Opera browser.

    I’ve formatted my hard drive to be rid of XP, and will be installing Linux this week. (I’ve still got Win98 on my old machine, and will install Linux on this machine too).

    I quit, I can’t take it anymore.

  24. Anonymous says:

    Opera has it’s share of security issues too. And patching it in a coporate environment is a nightmare. With Automatic Updates, IE is easier to manage and to update to resolve security updates. But Microsoft still needs to speed up it’s patch and improve their response time to resolving security holes.

    Has anyone tried to install Mozilla in a enterprise environment with 10000 Pcs with roaming profiles? If you have, I hope you have large file servers with plenty of network bandwidth. The default cache location of Mozilla/Firefox and Netscape is in the user’s roaming profile. What a way to enable extremely long logout and login times. Apparently this bug has been reported to the developers of Mozilla/Firefox and the bug case has been open since 2001. You really wonder if they really want to compete in the browser market, or if it’s all just hype.