IE August 2005 Security Update is now available!


The IE August 2005 security updates are now available! This group of security updates is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates available via the new Microsoft Update. We encourage you to give MU a try.

Information about the IE Security update can be found at: MS05-038 – Cumulative Security Update for Internet Explorer (KB# 896727)

This security update package contains fixes for the following vulnerabilities:

  • JPEG Image Rendering Memory Corruption Vulnerability – CAN-2005-1988
  • Web Folder Behaviors Cross-Domain Vulnerability – CAN-2005-1989
  • COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-1990

Details on the vulnerabilities and workarounds can be found at http://www.microsoft.com/technet/security/Bulletin/MS05-038.mspx.

This is a “Critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1. All IE security updates are cumulative and contain all previously released patches for each version of IE. In addition, these fixes were included and shipped along with Windows Vista Beta1 and IE7 Beta1.

I encourage everybody to download these security updates and other non-IE security updates via Windows Update. Windows users are also strongly encouraged to turn on automatic updates on their systems so updates are downloaded more easily.

Shortly after we released the updates this morning we found that several of the Internet Explorer updates provided only to the Download Center were corrupted, breaking the digital signature and preventing them from installing. The updates available on Microsoft Update and Windows Update are not affected and are installing properly.  We’ve identified the problem, removed the affected updates from the Download Center and will repost them shortly to correct the issue.

– Jeremy

Comments (24)

  1. Anonymous says:

    I’m just curious: There are still several unpatched security vulnerabilities in Internet Explorer. Will these patched in the future, or are you just fixing newly discovered vulnerabilities?

  2. Anonymous says:

    All browsers have some number of unpatched security issues; in BugZilla, they’re marked private so they’re not publicly visible.

    I’m really tired of people making vague claims about unpatched bugs without providing specific information. In the past, I’ve seen a lot of really dubious "bugs" that weren’t patched because they didn’t really exist.

  3. Mike Dimmick says:

    If you’re talking about Secunia’s reports of unpatched vulnerabilities, I’ve found in the past that, sometimes, the vulnerabilities are actually fixed but Secunia don’t update their information.

    I encourage the IE team to confirm whether the supposedly ‘unpatched’ vulnerabilities still reproduce, and if not, to inform Secunia.

  4. Anonymous says:

    Why does IE even instantiate COM objects that are not intended for use in IE? IE has to instantiate the object in order to query IObjectSafety, which is why this COM vulnerabilities exist. All that would be required is a key in the registry for the object to indicate whether it should be used in this way or not. The first time the object is used, IE can ask the user whether they want to set this key, and at any time the user could revoke it.

    See:

    http://www.securityfocus.com/archive/1/391803

    for more details.

  5. Anonymous says:

    Yes, I was talking about those Secunia has marked as unpatched.

    "If you’re talking about Secunia’s reports of unpatched vulnerabilities, I’ve found in the past that, sometimes, the vulnerabilities are actually fixed but Secunia don’t update their information."

    If that’s the case, I would like to see Microsoft to inform them. There are a lot of people out there, including myself, who uses security as an argument to switch to e.g. Mozilla Firefox or Opera. If Microsoft could fix all unpatched vulnerabilities, at least those who has a comparatively high risk level in addition to the great bug fixes they have announced will be available in Internet Explorer 7 beta 2, I believe Internet Explorer would be close to a great browser.

    PS: I didn’t really want to start a discussion about the unpatched security vulnerabilities in Internet Explorer – I was just curious why they still haven’t fixed them …

  6. Anonymous says:

    The funny thing is this is exactly what a compromise of Mircrosoft’s patching infastructure would look like and nobody batted an eyelid.

    Surely patching tools should be screaming warning bells all over the place? Why did customers just continue trying to install the patches via other methods instead of going "wait is this a hack?"

    Scary world we live in.

    Well done to the IE team for an otherwise successful patch release.

  7. UnexpectedBill says:

    Hello all…

    I don’t mean to come across as harsh or rude, but will someone at Microsoft *please* fix the updated automatic updating components?

    I realize that some users will need to be reminded repeatedly that they should reboot their computer to finish updating.

    However, I’m of the school of thought that I will reboot when I’m ready to do so. I find the continual reminder window to be rude and incredibly aggravating. It may not be smart or the best approach, but I’d really like to see an update to the Microsoft Update/Windows Automatic Updating stuff that lets a user tell automatic updates to *be quiet* and *stop bothering me*!

  8. Anonymous says:

    As usual the comments section quickly fills with stunning insights.

    "PS: I didn’t really want to start a discussion about the unpatched security vulnerabilities in Internet Explorer – I was just curious why they still haven’t fixed them"

    Uh, I spot a contradiction. If you want to know why an alleged vuln has not been fixed, then you *do* want to start a discussion about unfixed vulns. Oh wait, maybe you just want to contribute a zero-usefulness swipe. Could you be yet another passive aggressive nerd posting here?

    As for the person who deliberately installs updates that require a reboot, then complains about the dialog prompting a reboot…don’t you think the prompt is maybe *supposed* to be annoying?

    And, duh, you could always put off installing the patch until you are prepared to reboot afterwards. Patch descriptions indicate whether a reboot is likely to be required. Wait, reading, so difficult…

  9. Anonymous says:

    Asking a question doesn’t have to result in a discussion. If there’s a reason – okay, that’s fine for me. That’s all I need to know. I asked because I’m curious why Microsoft doesn’t fix all security vulnerabilities when they say they take security seriously. If they say that the remaining vulnerabilities not are high-level risks, I accept that. They know more about these problems than I do and that’s why I ask.

  10. Anonymous says:

    Re: Yellow Shield of Annoyance

    I really dislike the yellow shield. It is slightly less annoying than the prompt that comes up with a restart countdown, but I’ve accidently hit the reboot a couple times. Wish I knew who was actually in charge of that around here.

    It is not an IE component from what I can tell. We can’t do anything about it.

  11. Anonymous says:

    Rebecca Norlander on why the SP2 updater is deliberately annoying:

    http://channel9.msdn.com/ShowPost.aspx?PostID=9809#9809

    I’ll agree it can be a bit invasive but it certainly does the job!

  12. Anonymous says:

    > I’d really like to see an update to the Microsoft Update/Windows

    > Automatic Updating stuff that lets a user tell automatic updates to

    > *be quiet* and *stop bothering me*!

    I just attended a talk where Windows Update decided to run in the background on the presenters machine, and then popped up the "reboot in 5 mins dialog". Unfortunately it was in the middle of the talk, and the "ask me later" button on delayed things about 10 mins or so, so the talk was contiually being interrupted so he could walk to the machine and click "ask me later" again. No option for "just leave me alone". It was very unprofessional, and it makes me glad I never use windows machines to give presentations with.

  13. Anonymous says:

    I hate the reboot dialog too. It can’t be stopped! Even if you kill the process that generates this dialog, Windows restarts it!

  14. Anonymous says:

    The reboot dialog can be stopped. If it’s annoying you, stop the Automatic Updates service. Note that visiting Windows Update will restart this service and the reminders so if you go there, you’ll need to do this again. From the command-line, net stop "Automatic Updates".

  15. Anonymous says:

    Spanish update is still wrong. Have you tested right?.

    See you.

  16. Anonymous says:

    Tom, can you tell us what platform version of the Spanish package you are experiencing this on?

  17. Anonymous says:

    Hi Jeremy,

    I have downloaded the update again this morning and it already works and install fine. Maybe was that when I had downloaded the patch, it still was the old one with the signature problem.

    My platform is WinXp Pro SP2 Spain(I don’t know if this what you are asking for).

    Thanks for you support :).

    See you.

  18. Anonymous says:

    I am installing on a french language machine, windows 2000. Windows update

    first installed an update from v5 to v6, then crashed out with the error

    0x8007041D

    Multiple reboots/dropping security levels

    to minimum does not help

  19. Anonymous says:

    Regarding unpatched bugs… I know that it has been stated that IE7 will not be made available for Windows 2000 and lower, primarily (to my understanding) due to difficulties in implementing the various new features.

    However, there are plenty of bugs in IE6 that are being addressed in IE7 – primarily concerning the rendering engine (CSS1 & 2 support, PNG transparency, etc). In my opinion, these ARE bugs in IE6, since it claims to support PNG and CSS.

    Considering the vast number of corporations that will continue to run Windows 2000, would it not be wise to address these basic issues? How difficult would it be to patch in IE6 (call it 6.5 or something) the same rendering bugs that are being fixed in IE7?

  20. Anonymous says:

    On the day of release I updated two servers over remote desktops from the Update website (possibly withthe corrupt files)

    On reboot I could no longer remote to them.

    I utilised VNC to see the desktop in which took over an hour to get to the login splash screen.

    The servers are now unable to access the web and actually hang on going into IE connections TAB.

    As the servers are in the US and I am in the UK. trouble shooting is limited and I have to wait for personal to come in. (for rebooting)

    As the server hangs on shutdown.

    Any advise??

  21. Anonymous says:

    The message about being aware of the problem with the Download Center updates needed to be both on the site and provided to PSS. I can’t use Windows Update (it fails, nobody can figure it out) so must go to each security bulletin individually and download each patch. I spent an hour on the phone with PSS when, with proper communication, it should have been a 1-minute call: "They’re fixing the download, try again in X hours."