IE’s June 2005 security update is now available

Hello. My name is Jeremy Dallman. I am the project manager for Internet Explorer security bulletins.

I am announcing the availability of the June 2005 security updates. This group of security updates is available via Windows Update and includes a Critical fix for Internet Explorer.

Information about the IE Security update can be found at: MS05-025 – Cumulative Security Update for Internet Explorer (883939)

This security update package contains fixes for the following vulnerabilities:

  • PNG Image Rendering Memory Corruption Vulnerability – CAN-2005-1211
  • XML Redirect Information Disclosure Vulnerability – CAN-2002-0648

Details on the vulnerabilities and workarounds can be found at

This is a “Critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1. All IE security updates are cumulative and contain all previously released patches for each version of IE.

I encourage everybody to download these security updates and other non-IE security updates via Windows Update. Windows users are also strongly encouraged to turn on automatic updates on their systems so updates are downloaded more easily.


Comments (20)

  1. Anonymous says:


    Does this or does this not fix the vulnerabilities listed at eEye Upcoming Advisories?

    According to that page the answer is no. One of the bulletins is listed as being unpatched for 90 (yes, 90) days since disclosure.

    If the answer is no then is there a workaround?

  2. Anonymous says:

    Man, project manager for Internet Explorer security bulletins, you gotta have a lot of work !

    (Sounds nice btw)

  3. Anonymous says:

    CAN-2002-0648 was found almost 3 years ago!!!

  4. Anonymous says:

    I understand that CAN-2002-0648 is the name of the first vulnerability, and this is a fixed of a variation of the vulnerability.

    Is this correct?

  5. Anonymous says:

    Solrac, you are correct. The fix in this security update is a variant fix for CAN-2002-0648. You can find additional details within the MS0-025 security bulletin under the FAQ for this vulnerability ( Navigate to General Information/Vulnerability Details/XML Rendering…/FAQ…

  6. Anonymous says:

    One I would love in IE7, would be a list of all certificates in a page.

    For example if the page has several frames, have a list of all different certificates in the browser, and an option to be warned about this situation.

  7. Anonymous says:

    Where can one submit bugs related to IE?

  8. Anonymous says:

    Jeremy, any idea if IE’s DHTML circular reference memory leak problem will ever be addressed?

    Not exactly the "thin-client" application one was expecting to have developed when it requires 50-100MB of memory due to excessive memory leakage.

    Didn’t ever expect to be spending time writing manual garbage collection in Javascript.

  9. Anonymous says:

    To Worried Sysadmin:

    The eEye advisory you mention has been fixed – its the HTML help one.

    As far as I understand it, it involved an Interger Overflow problem.

    Only trained security researchers would ever be able to find such holes. Such researchers tend to be white hats, and are probably good enough at social engineering to be able to compromise you anyway.

    l33t 5cr1pt k1dd13s won’t be able to exploit, and so you are probably safe.

  10. Anonymous says:

    Hope you guys patch everything next time.

    Keep up the good work

  11. JD, did you ever notice that the two big secunia graphs – unpatched vulnerabilities and criticality of vulnerability does’t have a breakdown of unpatched vulnerabilities by criticality?

    How many of those unpatched vulnerablities are critical? How about important?

    Something to think about when pointing to pie charts.

  12. Anonymous says:

    You are right on the pie chart. But some of these vunerabilities have been out for months

    and are still unpatched. ie

    If you compare it with Firefox or Opera. Almost all of their vunerabilities are patched. I just think it’s bad publicity for MS.

  13. Anonymous says:

    I hardly call something that involves tricking someone into believing one thing, and doing another a security issue.

    I mean,jeez – if I am going to go through that much hassle as mentioned above – why dont I just put up a self extracting zip file that doesnt do what I say its going to do? I mean some of these security issues are not security issues.

  14. Anonymous says:

    I mean come on – so, for this to have any possibility what so ever as being a risk – you would have to go to a specific site, that is in your trusted sites.


    And this site would have to be something worth trying to trick someone into something in.

    And this site would have to use frames.

    And then, you would just have to happen to go to another site – that is just waiting for visitors that are also at the other site at the same time, but not only that – they have to know you are at that other site at the same time, or which site you are at, to send the correct spoof page.

    Well, easy to fix – tell the guy looking over your shoulder to move. Jeez – what is the possibility of me going to site A, that has frames and is a bank or the like, and then going to bad guys site that is going to throw their own page into Site A, because they just happened to know that I have that website open at the same time? Somehow, I think the chances of me winning powerball are greater than the chances of me being able to successfully exploit this.

  15. Anonymous says:

    Heh, I am happy to say that I will not require the update as I am using a superior browser: Opera. In fact, right now I am downloading the 8.01 update. Seems that they actually fixed (imagine that 😉 a whole lot of things immediately as soon as they were found out. Of course, you could still be using Opera 8.0, 7, or even 6 as there have been no people to exploit a vulnerability in Opera. Perhaps it’s because Opera users have more common sense then IE users?

  16. Anonymous says:

    Opera is used by around 1% of the web. It’s not an exploit target like the mid 80% that use IE.

  17. Anonymous says:

    Since installing the latest security update I can no longer open CHM files over a network or the web. I can open local copies. Is there a setting somewhere that I can tweak?

  18. buy diazepam without prescription online