Disable javaprxy.dll recommended – Update to Security Advisory


Jeremy Dallman here from IE Security team with an update on the security advisory that Microsoft published last Thursday.

In the revised Security Advisory provided earlier today, we recommend disabling Javaprxy.dll by using the registry key update (A.K.A. “killbit”) that is available now from the Microsoft Download Center. You’ll find a link in the updated advisory. This killbit package will also be available on Windows Update soon.

- Jeremy

Comments (34)

  1. Anonymous says:

    Zach could not have said it any better. How true.

  2. Anonymous says:

    Congratulations on the speedy turnaround!

    Note that this is in contrast to Firefox – where a recent vulnerability was first reintroduced into 1.0.4 because of their sloppy testing, and still hasn’t had a patch issued.

  3. Anonymous says:

    Why not fix it instead of just disabling it? It takes Firefox a day to release a patch yet it has been over a week and all we get is a ‘turn off’, not a fix.

  4. Anonymous says:

    jabber, maybe because Microsoft has ALOT more testing to do before releaseing a patch.

  5. Anonymous says:

    jabber,

    There have been security holes in Firefox that certainly did not take one day to release a public fix for.

  6. Anonymous says:

    Comments about Firefox are sooo predictable, that could be generated automatically by some simple generator.

  7. Anonymous says:

    You are absolutly right, Jason, Microsoft does not have the resources of a large community of testers like Firefox does.

    BTW as for more testing, Firefox runs under lots more systems than IE, so surely their testing would be more involved?

    Chole – the problem reintroduced (regression) is as a very low severity rating and Microsoft has many similar low rating security issues open for months (years in some cases) – Secunia

    Of course, IE no longer releases updates for some editions built into its operating systems (e.g., Windows 98 or its Mac edition) so Firefox is left as the better choice for these users…for shame!

    I wonder if it is Microsoft trying to force users to update? Certainly every other browser out there has no problems being installed and uninstalled on a variety of systems…

  8. Anonymous says:

    secunia.com says 30% of IE 6 security issues are unfixed, 13% are partially fixed and 3$ are work-arounds.

    Sure, Firefox has its share, but since I pay for IE in Windows, I should expect better :(

  9. Anonymous says:

    jabber: the reason it takes so long and why they no longer support older OS’s is because IE is heavily intertwined with the OS and other applications. By that, I mean that a number of applications run off of or use the IE engine. The same cannot be said for other browsers such as Firefox or Opera.

  10. Anonymous says:

    Jonathan Snook – Even the IE frame uses the IE rendering component, so this much is true. But it is unfair to suggest that Firefox is not avaliable as a component – it is, I used it in Visual Studio! Granted though that it is not widely used in this form.

    Why does IE need to be so intertwined? I mean it is straightforward to develop a COM object, register its GUID and hence allow reuse by other applications via its interface. Surely the point of components is that they minimise dependencies through encapsulation and hence promote reuse?

  11. Anonymous says:

    Most, if not all, Mozilla’s quick response for Firefox’s PUBLICLY reported unpatched vulnerabilities (as in this case) are configuration changes only. (e.g. change something in the about:config, download a .js file to change configuration automatically, etc.)

    So jabber, stop with the bullshit and admit the facts that MS are really improving in giving quicker response for security issues in their products.

  12. Anonymous says:

    Another blog entry that says nothing about standards, roadmaps, beta releases or other developerish things.

  13. Anonymous says:

    *Golf claps*

    I applaud MSFT for somewhat addressing this issue in an out of cycle patch.

  14. Anonymous says:

    jabber: the reason it takes so long and why they no longer support older OS’s is because IE is heavily intertwined with the OS and other applications. By that, I mean that a number of applications run off of or use the IE engine. The same cannot be said for other browsers such as Firefox or Opera.

    True. If IE wasnt intertwined woth Windows then the patches would be faster. I switched my Explorer to standard, changed the theme to standard and use Throbb Off from http://www.toastytech.com. Now Windows is super fast. I want to remove IE. A BROWSER AND A OS ARE TWO DIFFERENT THINGS! PLEASE MAKE IE OPTIONAL!!! I read a long but interesting PDF about the Trial about IE. Oh! And Firefox is so mutch better than IE. Less security flaws. Windows will be more securer without IE.

    http://www.usdoj.gov/atr/cases/f2600/2613g.pdf

    Read and enjoy.

  15. ieblog says:

    Homophobic remarks aren’t going to be tolerated here, everyone. Please don’t call things ‘gay’ or we’ll have to delete the comment.

    Thank you.

    Al Billings [MSFT]

  16. Anonymous says:

    jabber: but even developing it as a COM object has it’s issues. Would a security fix replace the existing COM object or would you release a new version of the COM object? If you replace the existing one, how do you ensure that you aren’t breaking any number of existing applications that run on top of that object? If you simply create a new version then any existing applications retain the security threat.

    A new version of Firefox, for example, often means that extension developers must retest, retool and re-release their extensions to make them work with the new version. Firefox has simply passed the burden onto developers (hey, the software is free, what are you going to do? complain?).

    It’s inevitable…

  17. pankajahire says:

    Hi,

    Something tells me, that recent blog postings are not really focusing on IE7, but they are more like – "ho-hum, we have to make a weekly posting, so why not post just about any ol’ issue!" :-)

    IE developers – We are desperately waiting for more news on IE7. Please either post the security news on seperate blog or create an exclusive blog focused on IE7.

    Tell us what we web developers could expect, so that we are ready for you when you bring it out. I agree you have told us a lot, but it still seems like a lot less.

    CSS, Standards, Rendering, Scripting changes, New elements, new "weird" extensions – Please talk about them…

  18. Anonymous says:

    Would it be possible to post a link to the update that Jeremy spoke about as there appears not to be a link with updated advisory.

    Thank you for keeping us updated on the status of IE 7 and for info on current versions.

  19. Anonymous says:

    Thanks for the heads-up. I’m glad you guys keep on your toes in regards to security.

    It’s amazing how often these things instantly degrade into a pissing contest between FF developers/users and IE developers/users.

  20. Anonymous says:

    crad,

    Go to the advisory, click on Workarounds and then Disable the Javaprxy.dll COM object from running in Internet Explorer and you’ll see all the different links

    Enjoy

  21. Anonymous says:

    I tried to remove IE from my Windows XP install to get away from all this. Since that didn’t work I did the next best thing: remove Windows altogether. Until this is fixed I’ll use other OSes, and tell others around me why they should do the same – with 2k being made obsolete my school’s going to be looking for a new OS for their hardware which can’t run XP…

  22. Anonymous says:

    It would be really cool if we could filter out comments from people with pre-conceived ideas. People who will make the same statements despite any evidence.

    The earlier days of the web with technically oriented, positive people were great. (Now we have contributors, more correctly negative contributors, who add to the volume published and dimish value.) Sad very sad. I’d love to turn some people right off!!

    Now to the meat. Testing is serious work. It can take a lot of time. (I would hate to have software developed by people who claim otherwise.) I’m pleased MS does a proper job of it.

  23. Anonymous says:

    Microsoft will win this game for the same reason they won the OS game, and most other games they decide to play in.

    You don’t have to be cooler. You don’t even have to be first. All you need is to: 1) Be backwards compatible, even if this means ignoring or not fully implementing some things. Designers hate you, users love you. Users win almost every time. 2) Embrace and extend. Do what they do, then do what they do better. This was much easier for Microsoft when it was a much smaller company, but given their knowledge of the other things running on your computer, it’s still hard for most other companies to keep up.

    As an aside, who still uses java for anything? If I had to write an applet (which I see almost no reason to, especially given things like AJAX), I would almost definately write it in C#.

    -SurrealLogic

  24. Maurits says:

    I use it for:

    VNC’s built-in viewer

    WebTrends dynamic charts

    freechess.org’s built-in player

  25. Anonymous says:

    Will this have an impact on how java works in ie?

  26. Anonymous says:

    I think this is to do with the MS Java VM which was removed in SP 1a (XP users). I dont think this should apply to 1a and SP2 users that havent upgraded. (What I mean is that you went to the shop and purchaced a brand new copy of XP with SP 2 that shouldnt have the Java VM.) Im not sure that this was removed with the download copy of SP 2. Aparently there was a tool to remove the VM but it was removed by MS from their servers. I do think that MS needs to remove the VM. Not that its bad (I used it a lot in 98) its because really its not supposed to be there.

    Hmm. I cant wait for IE7 Beta1. According to Paul Thurrotts website it should of been released. Just waiting for it to appear in Microsoft Updates beta section ::sigh::

  27. Anonymous says:

    It would be nice to have an "alternate style switch" in IE7.

    Greetings:

    WebMonster

  28. Anonymous says:

    In my opinion, if anyone is still using Java for anything productive, you should definately consider alternatives. Java is the easiest gateway into someone’s system.

    -pty

  29. Anonymous says:

    > You don’t have to be cooler. You don’t even have to be first. All you need is to: 1) Be backwards compatible

    Did you know IE6 breaks core Windows 95 DLLs? Have you lived in a cave for the past 6 months and not known IE7 is only for XPSP2 and above?

    Backwards compatible? More like backwards.

  30. Anonymous says:

    > Did you know IE6 breaks core Windows 95 DLLs?

    Nope – sure didnt – wasnt dumb enough to attempt to run a program on an operating system that it does not support.

    >Have you lived in a cave for the past 6 months

    I can not answer this question for him, but if the answer is yes – would you please give Bin Laden a really good wedgie for me?

    > and not known IE7 is only for XPSP2 and above?

    Dont see what that is material – most new software is only for the newest operating systems. That is what pages like this -> http://www.mozilla.org/products/firefox/system-requirements is for, they even print that info on the box, and in the manual also. By Reading that, you would know that since probably run Win 95 (figure you must, else why would you even remember its existense enough to mention a ten year old OS) – you would notice that you can not run that product on your OS – sorry.

    > Backwards compatible? More like backwards.

    Um, huh

    No I think you are a bit twisting in the wind. Backwards compatible does not mean that what is made today will work on what was made yesterday.

    It means that what was made yesterday will work on what is made today. Might need to turn yourself around a bit on that.

  31. Anonymous says:

    It’s amazing how often these things instantly degrade into a pissing contest between FF developers/users and IE developers/users.

    Actually lets be fair – its normally between some 12 year old firefox users and anybody that they can get to listen/read.

    I refuse to believe that most of the flame comments made here are made by anyone that has reached puberty – that would just be to scary of a thought. Though this is the first post I have read that IE users open up on the offensive, and I was a bit disappointed to see that.

    As to another comment

    > Microsoft does not have the resources of a large community of testers like Firefox does.

    Maybe I am missing something – but last I checked at least one or two more people use IE than Firefox.

    Heck – I got to say something, and I know this comment will be met with denial, and disbelief by some – but anyway here it goes….

    For the vast majority of the people, at least in the United States, a browser is something that opens up a website so they can check a score or whatever – and then a couple of minutes later is closed, and its existense they forget for a week or two until they need to use it again. They do not even recognize that something like Firefox exists, and if you tried to tell them about it at the bar or something, they would start praying to god that this person that is blabing next to them would leave – or promptly get you drunk so you would pass out. Browsers importance to most people is probably somewhere down the list way behind things like what type of toilet paper they prefer.

    Thats the consumer that Microsoft builds its products for, because that is 90 percent of the buying public. Truth is that these people expect things to just work, which is where almost all the security issues came in – Microsoft always has to meet the demands of its customers first and foremost – and then figure out how to get security into that ease of use, not an easy, or even probably completely possible job.