February IE Security Updates Released

Yesterday’s security updates for February 2005 include two critical updates relating to Internet Explorer:

  • MS05-013 – has a fix for an issue with the DHTML edit control (CAN-2004-1319)
  • MS05-014 – Cumulative Security Update for Internet Explorer

These are both rated “critical” and affect all supported IE configurations from IE5.01 to IE6 for XPSP2.

In addition, there is a third update to mention – MS05-008 – which contains a fix for a drag-and-drop vulnerability in the Windows shell code.  You need both MS05-014 and MS05-008 to resolve the “drag-and-drop vulnerability” (CAN-2005-0053).   These updates do not have to be installed in any particular order.

Windows Server 2003 Service Pack 1, Windows Server 2003 x64 edition, and Windows XP Professional x64 edition, all of which hit RC2 yesterday, already include these fixes.

As some of you may know, recent updates for IE 6 SP1 have not contained hotfixes released since MS04-004 and MS04-025.  Customers who needed these hotfixes had to download a separate package that contained the hotfixes along with the security update.  This caused some confusion around which version to install.  Furthermore, the hotfix (or “corporate”) version was not located on Windows Update and therefore not available through SUS. 

I’m happy to say that MS05-014 includes both hotfixes and security updates but only installs hotfixes on systems that require them.  The original goal of creating separate packages was to isolate as many customers as possible from unnecessary code change.  By implementing this solution we’ve maintained that added protection for our customers while easing corporate deployment, an area where we are committed to continual improvement.  This capability is similar to what we have always used for IE cumulative security updates for Windows XP SP2 and Server 2003.  However, because IE 6 SP1 installs across multiple Windows versions we could not use the same technology.  For details on how IE 6 SP1 packages will know whether or not to install hotfixes, please see the ‘Notes’ section of KB867282.

I encourage everybody to download these updates as well as yesterday’s other non-IE updates via Windows Update.  I also encourage you to turn on Automatic Updates so you get these updates without having to manually visit Windows Update.

– Bruce

Comments (40)

  1. Anonymous says:

    Another vulnerability in an ActiveX component. Don’t you just love all that rich functionality?

  2. Anonymous says:

    WaPo has coverage, also check out IEBlog. Here are the specific released yesterday: Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB867282) Security Update for Windows 2000 (KB891781) Security Update for Windows 2000 (KB885250) Security Update for Windows 2000 (KB888113) Security Update for Windows 2000 (KB890047) Security Update for Windows 2000 (KB873333) Security Update for Microsoft .NET Framework, Version 1.0 SP3, English (KB886906) Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903) Security Update for…

  3. Anonymous says:

    Is it only the RC2s of the software releases mentioned above that doesn’t need any patch? (I.e, should a test server that might be exposed to the net at some point better upgrade to RC2 ASAP?)

  4. Anonymous says:

    Hi CN,

    RC refers to Release Candidate. So RC2 is the second Release candidate for this software. RCs are one step closer to final release than beta software but they are still not at final release and thus should still be used with caution. In this instance RC2 of Windows Server 2003 Service Pack 1, Windows Server 2003 x64 edition, and Windows XP Professional x64 edition all already include the updates as they were released at close to the same time as the update itself.

    We’d certainly encourage people to investigate and give feedback on all beta and release candidate software but for mission critical applications fully released and supported software would be recommended.



  5. Anonymous says:

    I’ve always found the contingency design around Windows Update a little confusing. I’m guessing that the server is getting bulldozed with traffic at the moment, but the experience is that you pick your updates, a quick dialogue flashes and you can barely make out that all your downloads have failed. You’re instantly directed to a status screen that announces failure of all the updates with no explanation why. The for more information screen confirms that yes, indeed, all your updates have failed and gives you the opportunity to see that yes, in the past – many updates have failed!

    I do love the Windows Update functionality, but some more messaging in the case of failure would be very helpful. Even just a happy little "high traffic at the moment please try again" with an option to "remind me".

    We also had some real trouble with the Software Removal tool in our shop and had to roll back some systems.

  6. Anonymous says:

    Oh. And following the updates all of our Visual Studio projects are fried.

  7. Anonymous says:

    Thankyou for at last fixing the file upload MIME type bug with the MSO5-014 patch! It’s only been around since around September last year (since WinXP-SP2 was released), so it only took *5 months* to fix it!

  8. Anonymous says:

    Paul — When you run Windows Update, are you logged in as a non-admin and running WU as an admin via Run As? I’ve found that, since WU V5 (XP SP2), this method always fails and the only way to get it to work is by logging in manually as admin. 🙁

  9. Anonymous says:

    To the last commenter – I found your screen name and your list of leading questions offensive in content and style, not in words.

    You jumped in here with no previous commenting history with an offensive name and a list of "do you still beat your wife" style questions.

    I’ve decided (unilaterally) not to leave so much crap in the blog comments. So I deleted your comments. Pick a less offensive name, ask your questions with a little more respect and a lot less leading, and I won’t delete them.

  10. Anonymous says:

    BTW, anonymity gets you little respect.

    I accord a lot more value to comments from someone who has the courage to link back to a real blog or real email. These comments can be as anti-IE as the person wishes; as long as they are not profane or personally attacking people on the team I won’t delete them.

    Anonymous comment with no content other than "IE is bad!" (or three paragraphs of "you guys are morons, IE sucks, blah blah blah!") are a dime a dozen. Do that on your own blog all you want. Track back here, I won’t delete it.

    Otherwise, I treat it like graffiti on the wall and I get rid of it.

  11. Anonymous says:

    I disagree with your stance. I don’t think my screenname was particularly offensive, given the title of this post.

    I have set up my own blog to discuss issues about IEBlog, IE, and general web browsing/development issues, at:


    Hopefully many here will find it interesting, why not take a look?

    There is an email address provided there also. Now, hopefully I have enough ‘credibility’ to ask again:

    How many security vulnerabilities in Internet Explorer have involved an ActiveX component?

  12. Anonymous says:

    Blog Watch, ActiveX is an extension mechanism that allows 3rd parties to extend the functionality in IE. It’s really difficult to say how many 3rd parties migth have a security issue. Netscape plugins is a similar extension mechanism for Netscape but it is used far less because of the small market share it has.

    So we don’t know the answer to your question. Even if we did have figures I don’t see that the data is at all useful for any form of comparison.



  13. Anonymous says:

    IEBlogWatch, here’s a list of all the security patches released for IE, by year, since 1999.


    I suppose once you go through that list and count the number that affect active X components you’ll have your answer. (at least those that have been fixed)

    I would think that MS wouldn’t really keep track of these because they already know that Active X has it’s security problems. Further bringing their customers attention to the full scale of said problems would cause said customers to be pretty upset that expensive solutions and applications would need to be rebuilt in order to avoid these issues.

    Needless to say, regardless of what the IE team may personally think, MS cannot do this and expect to save face, at least not until there are enough .NET peices in place that the problems caused by an "admission of guilt" regarding the falibility of active X would be more managable.

    Even if Dave, Bruce and others agree with me completely, I wouldn’t expect them to openly admit it. I’m sure they need their jobs as much as the rest of us.

  14. Anonymous says:

    Dave P,

    ActiveX Controls are an extremely useful way to extend the power of the browser. From that point of view they are really no different to Netscape plugins. They are very powerful which means they can be used for bad as well as good. That is also true for Netscape plugins.

    we undertook work in Windows XP SP2 amongst many other things to make it much more difficult to inadvertantly install unwanted software.

    I do not believe there is anything wrong with ActiveX controls, as they offer extremely useful functionality. And that is nothing to do with me wanting to keep my job 🙂

    My advice to everyone whatever software they are using is to use extreme caution when installing any software and be sure that they are installing software they want from a publisher that they trust.



  15. Anonymous says:

    @Dave: Like I said, even if you agreed. 🙂

    Speaking of Active X, an serious question for you (serious in that I’m not trying to be an ass here):

    I don’t really use any Active x component on a regular basis, and I’ve never really run into a situation where I can think that I would need to.

    With the ability to do most things with Server side code and Javascript and the DOM; preforming more intensive things by utilizing Flash and it’s strengths, when exacly would I need to use Active x to perform a task that I can’t do with other technologies?

    I realize that there may be a preference for some devs to prefer AX to other techs, but I’m looking more for a neccesity here.

    As far as my travels have taught me, the answer to my question is "there isn’t anything (worthwhile) that can be done in active x that can’t be done with another, multi-platform tech."

    If anyone can prove me wrong it should be you guys, and I’m interested in learning about some areas that it may be useful to consider active x.

  16. Anonymous says:


    While on the subject of ActiveX controls, a feature I’d love to see in IE: The ability for an application hosting the WebBrowser being able to programmatically add an ActiveX control that is implemented inside the host’s code.

    Right now, I have an app that runs when a CD is autorun; it uses the browser control. When my app starts, I have to register an ActiveX control and unregister it when the app quits (actually, when the last instance of the app quits in case it was launched twice). At least with Windows 2000, with its ability to register COM objects in the current user branch of the registry, users don’t need to be Admin for this.

    My suggestion is to add an interface (e.g. to IDocHostUIHandler) that takes in a CLSID and returns the IUnknown of a component–that way I can keep my component private and handle instantiating it myself.

  17. Anonymous says:

    @Dave P: Regarding Flash–it is an ActiveX control.

  18. Anonymous says:

    @Johnathan: Only In IE’s chosen implementation is Flash an Active X… for everyone else it’s a standard plugin, so I see it as a stand-alone component, really… point being the same level of funcitonality can be acheived without Active X per say.

  19. Anonymous says:

    Dave P,

    I’d definitely encourage developers to examine what can be done using DHTML and JSCript rather than through ActiveX Controls. In the days of IE3 you needed to use ActiveX Controls to do simple things like menus. With the introduction of IE4 that could be achieved without using ActiveX Controls. As I said before ActiveX Controls are very useful but you shoudl only use them when you need to adn users should be cautious when installing any software from any source.



  20. Anonymous says:

    DaveP, technically, there’s essentially no difference between an ActiveX control and a "standard plugin".

    They’re mechanisms for launching code, they can both totally 0wn your machine.

    Having said that, ActiveX controls give you a couple of advantages that plugins don’t:

    1) They’re signed. XP SP2 refuses to load any ActiveX control that’s not signed. That means that you KNOW who authored it – it’s not just a random binary running on the net.

    2) They’re revokable – an ActiveX control can be killed via a config change to prevent it from running on a users machine.

    Neither of these advantages changes the basic risks associated with running 3rd party native code on the clients machine, but at least with ActiveX controls you have the ability to determine who wrote the code, and to turn it off.

  21. Anonymous says:

    I (obviously?) meant the Microsoft ActiveX controls which ship with Windows by default when I asked my question. Sorry for the confusion.

    Anyway, Dave P, that link is very useful, thanks. I don’t have time to count right now but will get round to it.

    Plugins need to be really secure, something which is a problem with all extensible browsers. Firefox has the ‘advantage’ of not issuing its own extensions, so even if they introduce vulnerabilities or backdoors, Mozilla isn’t directly blamable.

    However, if vulnerabilities are found so regularly in Microsoft’s OWN ActiveX controls then I think it is fair to question the security policies in place, especially given that previous to XP SP2, controls digitally signed by Microsoft were silently installed.

    (Your PR case isn’t helped by the fact that ActiveX is Windows only, and that it was a reason cited in the DOJ suit for not being able to ‘remove’ IE – which is one reason why many people are so cynical and cut you so little slack!)

    Both IE and Mozilla have responded (reasonably) well to cases involving ‘peripheral’ blame – by trying to secure the underlying extension/plugin mechanism itself. In IE’s case, it is forcing digital signatures. Firefox defaults to whitelisting only mozilla.org as an extension site. Both are good moves.

    But Microsoft has an appalling record with regard to its OWN ActiveX controls – which, after so long, is simply unacceptable.

    Incidentally, there was a comment on a previous post concerning automated testing. I tried to teach myself the basics, and wrote up a rather ragtag collection of thoughts along the way. Why not take a look:


  22. Anonymous says:

    ActiveX is just a marketing name for the real technology, COM. I’m not sure why marketing decided they needed a different name. Originally ActiveX controls were called OLE Controls, which is why you’ll still see some with a .ocx extension. In the end they’re just DLLs which conform to the the COM in-process server design.

    Any binary plugins, using whatever mechanism for hooking them up to the browser, are potentially going to have flaws. Well, any plugins will have flaws. Unmanaged binary plugins are more likely to have exploitable flaws, as the plugin can do anything the user can do.

    Larry is not correct to say that IE will only load signed plugins in XP SP2. I’ve just tested using a random control already installed on my computer, which isn’t signed. SP2 has a new feature where the administrator can, optionally, dictate a whitelist of controls. This isn’t the default option in any zone.

    What ActiveX/COM offers is a consistent way of declaring an object and persistence model for an object, which has strong support from the platform. It’s very easy for developers to deploy a new control. It’s unsurprising, then, that Mozilla cloned most of the concepts in developing XPCOM – ‘cross-platform COM’, although ‘cross-platform’ refers to source compatibility, not binary compatibility. Another difference is that Mozilla keep changing their base interfaces incompatibly, which is why you have to download the right versions of any binary plugins.

    Netscape, Mozilla, Opera and other browsers also still support the old Netscape Plugin API (NPAPI). For those browsers, Flash is an NPAPI plugin. Traditionally you had to restart your browser for a new plugin to be detected, which was one of ActiveX’s improvements over this model – a new control can be downloaded on-demand and instantiated in the calling page, if the codebase attribute is specified. I don’t know why NPAPI support was dropped from Internet Explorer. I’m guessing that it was because you can’t easily retroactively apply a security model.

    Mozilla and Firefox, as I mentioned, support XPCOM as an extensibility mechanism. If the interfaces are marked [scriptable], they can be scripted from within the page. An installer package – an XPI – can be built. The XPI can be signed to verify the contents have not changed since signing and to authenticate the signer.

    IE supports COM as an extensibility mechanism. If the control implements IDispatch, it can be scripted from within the page, if the control is marked safe for scripting and the zone configuration allows it. If the control implements IPersistPropertyBag (IIRC), it can be initialised using parameters, if it’s marked safe for initialisation and the zone allows it. An installer package – a CAB – can be built. The CAB and binary can be signed to verify the contents have not changed since signing and to authenticate the signer.

    IE does have a problem, though. It’s the fact that every Windows system comes with thousands of COM components. IE can be directed to load any of them. As I mentioned above, the riskier things include scripting and initialisation. Some components have been marked safe which shouldn’t have been.

    A number of vulnerabilities blamed on ActiveX have not in fact been problems with the component itself, in the sense that there were no buffer overruns or integer overflows – no coding errors – exploited. Instead, they were repurposing attacks – using the component to perform some trusted operation (writing to a particular file, in ADODB.Stream’s case) not normally permitted to script code.

    Internet Explorer has, in the past, had problems with correctly identifying the zone that data originated from. Attackers have been able to subvert the zone identification to load into a weakly-secured zone to load code not normally allowed. This isn’t a problem with the ActiveX model. It’s a problem with the implementation. In the Download.Ject attack, ADODB.Stream – not marked safe for scripting – was loaded by code that had been incorrectly interpreted as being in the Local Machine zone, which doesn’t enforce Safe For Scripting or Safe For Initialization by default.

    A lot of ignorant people have decided that ActiveX is an inherently insecure technology without bothering to understand exactly what it is, nor that competing browsers also feature binary plugin support WITHOUT any kind of security manager.

  23. Anonymous says:

    I am trying to install KB886903, but I keep getting an error message that installation has failed.

  24. Anonymous says:

    Maria: are you downloading from Windows Update, or using the separate download available at http://www.microsoft.com/technet/security/bulletin/ms05-004.mspx ?

    If you’re having problems with one, try the other. Microsoft offers free technical support for security updates – see http://support.microsoft.com/common/international.aspx for details.

  25. Anonymous says:

    The lack of straightforward answers on this blog is breathtaking.

    Dave Massy, you say that you would recommend not using ActiveX if you can use JScript and DHTML instead, and that this has been increasingly the case since IE4. I for one certainly don’t recall any Microsoft documentation to that effect!

    You designed Windows Update to use ActiveX, and presumably it will continue to do so in the future. (Hence, the oh so convenient and anticompetitive ‘Windows MUST have IE’). Of course, we’re meant to believe that Microsoft doesn’t have ANY programmers capable of writing a simple standalone update program which only accesses a single hardwired update site? That Windows Update uses IE for technical reasons rather than anticompetitive ones? Yeah, right.

    Please explain why Internet Explorer can’t be removed from Windows, and why OEMs shouldn’t have a free choice of web browser.

  26. Anonymous says:


    I got the same "Failed" status message when installing the security update KB888113 via Window Update.

    I called Microsoft and after wasting a good hour trying different things in Safe Mode which didn’t work, I ended up downloading the file directly at:


    Everything worked fine afterwards. Since I had SP1 and SP2 installed, the proper download was the download link to the right of "Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2"

    The support poerson was not really able to explain specifically why one works and not the other, but mentioned that sometimes this does happen, and that downloading a file "manually" and installing a patch locally may work. I had SpySweeper and PestPatrol running which might have interfered. Can’t say for sure.


  27. Anonymous says:

    KB891781 removes some of the interfaces in the DHTML component. Many applications that uses the DHTML component are now broken and the only solution appear to be to uninstall this patch.

    KK Aw

  28. Anonymous says:

    So, Windows Auto-Updates tried to install these latest security updates and all of em got installed except for the one that causes me to see a dialog box that says; "Updates were unable to be successfully installed" – The following updates were not installed: "Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903)" ~~ Anyone know how to fix/handle this? Thanks, B.

  29. Anonymous says:

    So, Windows Auto-Updates tried to install these latest security updates and all of em got installed except for the one that causes me to see a dialog box that says; "Updates were unable to be successfully installed" – The following updates were not installed: "Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB886903)" ~~ Anyone know how to fix/handle this? Thanks, B.

    P.S. Yes I tried rebooting and trying to let it install again. Yes I tried directly downloading the patch and installing it, at which point it says that I can’t install it that way because the program that needs to be updated might not exist. I have the .Net framework v1.1.4322 SP1 according to the about dialog in VS.Net 2003.

  30. Anonymous says:

    As a programmer, I would like to know, how to avoid with problems when you apply the latest security patch kb891781, that caused that dhtmled.ocx ActiveX component no longer allows access to some of its interfaces (IHTMLDocument and so on).

    That’s annoying, because many applications (including my stand-alone application for content web management) are broken (I read on Internet, that it’s true for HomeSite and many others).

    I know that MS informs about the possible problems after installing this patch, but it looks, that MS disabled some interfaces and didn’t really fix the problem.

  31. Anonymous says:

    I’ve also experienced the same problem with the interface not supported with the patched dhtmled.ocx. I’m a developer on a large suite of products and now this problem is preventing a release of our product (or customers need to go to each individual machine and uninstall the "update"). Come on Microsoft, your fixes need to support legacy code! We MUST have a fix ASAP.

  32. Anonymous says:

    More and more people are writing about the problems with the "fixes" in the dhtmled.ocx, but no one has a solution. We also have complaining customers who can’t use our software anymore. The only advise we can give them is to uninstall the hotfix, which isn’t a solution at all because of the vulnerability.

    I don’t understand why Micosoft made an update which disables part of an interface. Maybee it is still possible to get access to the HTML inside the editor (IHTMLDocument2), but in a different way?

  33. Anonymous says:

    KB890047 has disabled dragging files to shares under DFS, but not normal shares. I’m terribly confused by this.

    E.g., \MYCOMPANYDFSROOT$Gravy points to \SERVER1Gravy and \SERVER2Gravy.

    I can drag from my desktop to \SERVER1Gravy and \SERVER2Gravy fine, but I get the circle-with-line "not allowed" icon when I try to drag to \MYCOMPANYDFSROOT$Gravy. Mapping doesn’t help; if I map \MYCOMPANYDFSROOT$Gravy to X:, I can’t drag to X:.

    Anyone aware of a workaround for this? My users’ HOME directories are accessed via DFS.

  34. Anonymous says:

    I have unable to install update is anybody had the same and maybe knows how to resolve



  35. Anonymous says:

    hey, i am having the same problem as Jim Davis where DFS drag and drop isn’t working, does anyone have a fix for this?


  36. We released two critical updates to Internet Explorer yesterday as well as one critical security update

  37. Yesterday’s security updates for February 2005 include two critical updates relating to Internet Explorer: MS05-013 – has a fix for an issue with the DHTML edit control (CAN-2004-1319) MS05-014 – Cumulative Security Update for Internet Explorer These