New IE Security Update for IE6 SP1 and IE6 (but not IE6 in XPSP2 or Windows Server 2003)

Today we released a security update for IE, MS04-040.  This fixes a heap-based buffer overflow that allows remote execution (see CAN-2004-1050 for more details on the specifics of the issue).  Full details on the security update can be found in the security bulletin

If you are running IE6 SP1 or IE 6 I strongly suggest you go to Windows Update to get this security release. It’s nice to see the results of all the hard work we put into making XPSP2 and Windows Server 2003 more secure, since users running those platforms don’t need to get this update.


Comments (21)

  1. Anonymous says:

    "…since users running those platforms don’t need to get this update." How subtle can one be?

  2. Anonymous says:

    Very Great !!!

  3. Anonymous says:

    "…since users running those platforms don’t need to get this update."

    It’s great that Microsoft opted against Windows 2000 SP5 and against making IE 6 SP2 available for slightly older versions of Windows.

    We all know that this decision was made because the users "don’t want another Service Pack".

    That’s what I love about Microsoft, always putting the customer’s wishes first …

    By the way: Great reaction time … only 5 weeks after the exploit was published, only a few thousand PCs were infected by a virus that used the exploit in the meantime, and many others were just infected by harmless spyware, malware and trojan horses.

    Thank you very much for always thinking about what’s best for the customer … I would really hate it, if I had the option to upgrade to IE SP2 on Windows 2000, I really don’t want that.

    Well, at least there’s Firefox (which reacted on a tiny Exploit in a Beta-Milestone within less than 12 hours)…

  4. Anonymous says:

    Why arent we seeing IE Sp2 avaible for download for 2000. Okay its in XP SP 2 yea my desktops are protected, ITs in Server 03 SP 1 which is currently in beta ny new servers are will be protected bit why not my 2000 servers and desktops. I would be happy to upgrade to s new 2000 Sp or just install IE SP 2 as its own update so I could get pop up blocker and Add on manager. Since most servers are on high speed connections it would take minutes to download and slipstream. And the problem cant be too old technology because XP is built on 2000 sp 1 code if memory serves and Server 03 built on XP Pro base code then given a security review Server 03 really is safer by default and even when other stuff is turned on its better.

  5. Anonymous says:

    Do you know what I do with Firefox ?


    Firefox = Nothing

  6. Anonymous says:

    @zelbi: your loss 🙂

  7. Anonymous says:

    @Christoph: You’ve never heard of testing, have you?

    Microsoft has a far too large userbase for them to throw a patch out there within 12 hours only to find out it breaks IE or some other part of Windows for half of their users.

  8. Anonymous says:

    @Sven Groot: You’ve never heard of the advantages of having your browser not integrated with the OS, have you?

    "Microsoft has a far too large userbase for them to throw a patch out there within 12 hours only to find out it breaks IE or some other part of Windows for half of their users."

    That’s got more to do with the zillions of possible Win + IE + patch combinations than the size of the user base.

  9. Anonymous says:

    @David Naylor: Just a hunch, but I don’t think that’s the IE Team’s decision. They do what the higher ups tell them to do.

    Complaining here will solve nothing.

  10. Anonymous says:

    I’d like to now if there actually is a place were complaining might solve at least something …

  11. Anonymous says:

    @Chris Williams: I realize the IE team doesn’t decide whether IE should be dug deep into Windows or not. I was simply pointing out to Sven Groot the advantages of having a browser not integrated with the OS. (Less testing needed.)

  12. Anonymous says:

    Fair enough, David.

  13. Anonymous says:

    Thanks! IE is great!!! It doesn’t need any "improvements", except bug fixes.

  14. Anonymous says:

    @David Naylor: I realise the added complexity from having IE integrated with Windows. But regardless of whether that was a good idea in the first place and whose idea it was, that complexity is there.

    And I’d still rather have them release a properly tested bugfix after 5 weeks than a buggy one after 12 hours.

    I remember the SQL Server team once released a patch that didn’t work on many installations, nobody was complaining about turnaround times then, I assure you!

  15. Anonymous says:

    @Sven Groot: My intended point was that it’s not the fact that Firefox’s userbase is smaller which allows them to respond swiftly to bugs found, but it’s the fact that it doesn’t integrate as tightly with the OS – hence less testing needed.

    If the size of the userbase determined how much testing was needed it would follow that Mozilla Foundation’s response time to bugs would only grow with downloads. (Which I believe it won’t.)

  16. Anonymous says:

    Since installing this patch on W2K systems, none of the URL shorcuts work anymore. IE just freezes. Any workaround?

  17. Anonymous says:

    It’s really fair to compare reaction times for patching between a beta milestone and a released product with a substantial installed base, Firefox boys! Good work. No doubt everyone will be switching tomorrow given that devastating effect of your superior logic.

    And this is 2004. Browser services are used and needed by dozens of applications. It’s better to have the OS provide those services, instead of having applications depend on half a dozen different browsers – all requiring separate patching and security management – as is the case with any feature rich Open Source desktops.

  18. Anonymous says:

    @Matt: I don’t know about you, but I’d rather have my security holes be patched quickly, whether beta or not.

  19. Anonymous says:

    @David: I’d rather have my security patches tested than put into a widely deployed program within 12 hours. The open source boys might start to recognise the importance of testing patches first if they ever reach an audience greater than a single digit percentage.

  20. Anonymous says:

    All of this stuff about whether OS services should provide "browser services" or not, even though I am a developer, is less important than "will I get spyware and malware surfing the Internet."

    At home I use Firefox, my daughter does not. She killed my computer in a day of Internet surfing – a feat that my weeks of Firefox use was unable to do.

    It is a simple non-technical equation. I may be a programmer but I am also a user. And I make the choice, which nobody can prevent me from making, to not use a vulnerable browser.

    I choose Firefox.

  21. Anonymous says:

    Is this going to affect the user agent string in server logs? Will "SV1" stay the same?

    And – related to logs – I’m hoping somebody will explain why the string "SV1" appears and disappears sporadically in the user agent string within a given visitor session.

Skip to main content