April IE Security Update is Available


Hello. My name is Al Billings and I’m a test engineer on the Internet Explorer test team posting to the IE Blog for the first time.

I want to announce that the April 2005 security updates are available and that a critical update for Internet Explorer is included:

  • MS05-020 – Cumulative Security Update for Internet Explorer (890923)

This contains fixes for the following vulnerabilities:

Details on the vulnerabilities and workarounds can be found at http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx.

This is a “critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2. It is also a cumulative update. It includes hotfixes that have been released since the release of MS04-004 or MS04-025 but they will only be installed on systems that need them.

I encourage everybody to download these updates and other non-IE updates via Windows Update. Windows users are also strongly encouraged to turn on automatic updates on their systems so updates are downloaded more easily.

Al


Comments (20)

  1. Anonymous says:

    Off topic, but what is a mspx file?Like PHP/ASP?

    http://www.microsoft.com/technet/security/Bulletin/MS05-020.mspx

  2. Anonymous says:

    <<Off topic, but what is a mspx file?Like PHP/ASP? >>

    Yes, this is basically an ASPX file but it uses some special classes that Microsoft uses to build our pages.

  3. Anonymous says:

    A lot of people have criticised the update mechanism of Firefox saying that the updater just downloads the newest version and installs it rather than downloading a patch like Microsoft.

    But the fact is this update is almost the size of a full Firefox download anyway, the version for Win 2000 users running IE SP1 is 4013KB also with IE updates you usually have to reboot and with Firefox you don’t. So because of Firefox’s small size I find it a lot easier to keep Firefox up to date than IE.

    I also wish Microsoft used version numbers correctly rather than this service pack nonsense. Why wasn’t IE SP2 called IE 6.2? Then each update could increment a minor digit (e.g. IE 6.2.5 after 5 patches were released).

    Without having to connect to the internet I can easily see if my Firefox is up to date by looking at the version number in Help > About you can’t do that with IE.

    Another advantage of incrementing the version number with each patch is that you can download the latest version easily from the website rather than having to download the latest service pack first and then downloading all the updates to it after that (usually with another reboot).

    e.g when updating an XPSP1 install to SP2 you have to download SP2 first and then reboot, followed by the updates to SP2 and another reboot. Why not have patched versions of SP2 on the website so that there’s a lot less rebooting and downloading.

  4. Anonymous says:

    Dave: The biggest criticism I have of Firefox’s update mechanism is that it just plain doesn’t work for a limited user. Isn’t it a bit rich to describe it as a secure webbrowser when keeping it up to date requires you to run an inherently insecure setup? But anyway…

    As far as version number and patches go, it’s never that simple.

    Imagine I’m on IE 6.2.0.0 and MSFT release a patch to fix a non-critical PNG bug and in doing so increase the version to 6.2.0.1 However, it causes a problem on my machine and, as it isn’t critical, I don’t install it.

    Now, a much more serious security issue comes out and the version number is again bumped to 6.2.0.2 Natuarally I install this patch to keep safe. What version am I running?

    The only way to make a system you suggest work is if you upgrade the entire application for every fix. This introduces a nasty problem though: If a critical vulnerability is identified, I am forced to either accept all the previous non-critical fixes (even if I *know* they will break my configuration) or risk exploitation. That is simply an unacceptable scenario.

  5. Anonymous says:

    Andy, the problem there is that a "fix" introduced bugs. I can’t remember the last time that happened to me with a minor update to non-Microsoft software.

    If minor patches introduce bugs that prevent you from using the application, well then that’s a real problem. It’s just not a problem I have observed in years of using applications with similar development models to Firefox.

    Do you have some basis for expecting bugs to be introduced in this manner?

  6. Anonymous says:

    Several years of being a sysadmin. 🙂

    When I said "bug", it could just have easily been that it fixed a bug which then causes problems in a third-party/custom app. Worse still a new release may well bring inevitable feature creep or a "redesigned to be more user friendly" interface.

    Only developers can’t see that it’s expensive to have to rewrite training documentation or teach unskilled staff to adapt to new features in software. That shouldn’t be forced upon me for a mere security update.

    I could tell you the story about how I had to inflict our users with the changes in Eudora 6.2.1 over 6.1 because it was the only way to circumvent a critical security update. I could tell you the story about how Windows 2000 SP4 would put our desktops into a perpetual reboot cycle. Or I could tell you about how upgrading to Acrobat Reader 6 broke a whole bunch of internal tools.

    The simple fact is any type of upgrade can break things or change them significantly enough that someone might want to delay there implementation in a given environment. And there are whole legions of developers out there that need to learn that there is a difference between a security fix and a version update.

  7. Anonymous says:

    I agree with dave you guys should just update the version. at minimum with every service pack. You do a help about and you see the longest version string ever 6.0.2800.1106.xpsp2.030422-1633 (This the string on the machine I am sitting at at school a service pack 1 machine) then you have the update versions string. Why not just say 6.0.2 then for service pack 2 could be 6.0.3 or 6.1.0 and why does a service pack 1 machine have XP SP 2 in the version string?? Seems and misleading.

  8. Anonymous says:

    This is OT, but when the beta due to start?

  9. Anonymous says:

    Every file from IE contains build number.

    Basically every hotfix increases it.

    It’s the simple way to control which hotfixes are installed.

    Although you guys right that there is no quick way to know which file versions installed and hotfixes installed and whole about dialog is useless.

  10. Anonymous says:

    This time around, I had a problem with Auto-update / Windows Update.

    Throughout this past week I waited and waited for Auto-update to deliver new updates. But nothing happened. No updates, no reboot.

    So, I decided to go to Windows Update manually. And there they were waiting for me, 5 high importance updates. 4 critical updates and one update for the Windows Installer 3.1. So I went on and chose to install them all.

    An error message came up telling me that the updates failed to install. strange!

    So I tried again. Same error. am running XP SP2.

    Then I thought that the Windows Installer might need to be installed by itself. So, I went to Windows Update and deselected all the other critical updates (strangely they now became 6 up from the 5 they were the previous times) and left only Installer 3.1.

    It worked, so after Installer was installed I went back and installed all the critical updates.

    But why did I have to do all this. What if I was my grandmother or a less experienced user who expects Auto-update to be working to protect him.

  11. Anonymous says:

    A "critical" vulnerability since IE5.01?!

    Wasn’t IE5.01 released in 1998, that makes it ~7 years to fix it.

    Good job Microsoft!

  12. Anonymous says:

    It’s not that bad, considering the fact that they are promising PNG transparency since IE 4.

  13. PatriotB says:

    "Wasn’t IE5.01 released in 1998, that makes it ~7 years to fix it."

    Nope, it was released along with Windows 2000, which RTM’d at the end of 1999. So it’s less than 5 1/2 years old.

  14. Anonymous says:

    AndyC :

    "The biggest criticism I have of Firefox’s update mechanism is that it just plain doesn’t work for a limited user. Isn’t it a bit rich to describe it as a secure webbrowser when keeping it up to date requires you to run an inherently insecure setup? But anyway… "

    But if you’re a limited user, you can’t install a new program(and so a new virus/malware or spyware …). So if you’re firefox was installed by an admin (or a "powerfull"user) it’s secure. But I think you can install your own Firefox (you can find Firefox available on one zip without install.)

  15. Anonymous says:

    OT: Sorry about the off-topic comment. But I notice that a number of blogs associated with other browsers are commenting on the latest browser compatibility test from the Web Standards Project at:

    http://webstandards.org/act/acid2/

    Any plans for you to comment on the errors this test exposes in IE and your plans to fix them?

  16. Anonymous says:

    Oh, yes… How many here wouldn’t like a relly juicy post saying something like "We are aiming for full CSS 2.1 compliance for IE7". Nothing wrong with dreaming, right? 🙂

  17. Anonymous says:

    I did all the Updates today and now IE will not work at all! When I try to call up a site on IE, it looks like it’s searching in the C: drive and then it gives me a "cannot find server" error. Netscape and Firefox work fine? What happened?

  18. Anonymous says:

    A couple of weeks back, one of my clients pointed out that when he opens files from an FTP site using…