Yesterday’s security updates for February 2005 include two critical updates relating to Internet Explorer:
- MS05-013 – has a fix for an issue with the DHTML edit control (CAN-2004-1319)
- MS05-014 - Cumulative Security Update for Internet Explorer
These are both rated “critical” and affect all supported IE configurations from IE5.01 to IE6 for XPSP2.
In addition, there is a third update to mention - MS05-008 - which contains a fix for a drag-and-drop vulnerability in the Windows shell code. You need both MS05-014 and MS05-008 to resolve the “drag-and-drop vulnerability” (CAN-2005-0053). These updates do not have to be installed in any particular order.
Windows Server 2003 Service Pack 1, Windows Server 2003 x64 edition, and Windows XP Professional x64 edition, all of which hit RC2 yesterday, already include these fixes.
As some of you may know, recent updates for IE 6 SP1 have not contained hotfixes released since MS04-004 and MS04-025. Customers who needed these hotfixes had to download a separate package that contained the hotfixes along with the security update. This caused some confusion around which version to install. Furthermore, the hotfix (or “corporate”) version was not located on Windows Update and therefore not available through SUS.
I’m happy to say that MS05-014 includes both hotfixes and security updates but only installs hotfixes on systems that require them. The original goal of creating separate packages was to isolate as many customers as possible from unnecessary code change. By implementing this solution we’ve maintained that added protection for our customers while easing corporate deployment, an area where we are committed to continual improvement. This capability is similar to what we have always used for IE cumulative security updates for Windows XP SP2 and Server 2003. However, because IE 6 SP1 installs across multiple Windows versions we could not use the same technology. For details on how IE 6 SP1 packages will know whether or not to install hotfixes, please see the ‘Notes’ section of KB867282.
I encourage everybody to download these updates as well as yesterday’s other non-IE updates via Windows Update. I also encourage you to turn on Automatic Updates so you get these updates without having to manually visit Windows Update.