IE October 2005 Security Update is now available!


The IE October 2005 security updates are now available! This group of security updates is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates available via the new Microsoft Update. I would encourage you to upgrade to Microsoft Update if you haven’t already.

Information about the IE Security update can be found at: MS05-052 – Cumulative Security Update for Internet Explorer (KB# 896688)

This security update package contains fixes for the following vulnerabilities:

  • COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-2127

Details on the vulnerabilities and workarounds can be found at http://www.microsoft.com/technet/security/Bulletin/MS05-052.mspx.

This is a “Critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1. All IE security updates are cumulative and contain all previously released patches for each version of IE. Security Updates for IE7 Beta 1 users on XPSP2 and Vista Beta1 are not available today, but will be available on Windows Update within the next few days. I will update the blog when these are available.

I encourage everybody to download these security updates and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to turn on automatic updates for their systems to download updates more easily.

 – Jeremy Dallman

Comments (42)

  1. Anonymous says:

    thisBlog.coolness–

  2. Anonymous says:

    thisBlog.coolness++

    thisBlog.coolness++

  3. Anonymous says:

    You know, I’d install/upgrade Microsoft Update, but apparently MS only cares about users running IE.

    Is it really that hard to offer a freaking EXE to download? I can’t even use the Windows Update site anymore (there used to be an application that you could download to pass WGA, but apparently MS removed it).

    Sigh.

    Oh, and good job not following your own advice ( http://blogs.msdn.com/ie/archive/2005/09/01/459541.aspx )

  4. Anonymous says:

    Bob, we do in fact offer signed EXE files for you to download. Please read the bulletin linked by Jeremy and look under the ‘Affected components’ near the top of the bulletin. There are links for the supported versions of Windows there. The URL specifically to the bulletin is http://www.microsoft.com/technet/security/bulletin/ms05-052.mspx

    -Christopher

  5. Anonymous says:

    That was fast, the speed at which you guys fixed the COM issue. Kudos

    BTW, Fred and the anon user forgot their semicolon :p

    int thisBlog = 1337;

  6. Anonymous says:

    Any word on whether or not Internet Explorer will support display: table yet?

  7. Anonymous says:

    Any news on how IE7 is coming along? When will beta 2 be released for example?

  8. PatriotB says:

    As far as I understand it, this vulnerability will keep coming back as more vulnerable COM objects are discovered/developed. From what’s I understand, IE7 will remedy this: blocking by default all COM objects except those that are explicitly OK’d for IE. (correct?)

    Also the bulletin mentions improvements made to both the popup blocker and the addons manager. I’m curious as to what these improvements are — perhaps a topic for a quick blog posting? :-)

  9. Anonymous says:

    In reference to:

    Bob, we do in fact offer signed EXE files for you to download. Please read the bulletin linked by Jeremy and look under the ‘Affected components’ near the top of the bulletin. There are links for the supported versions of Windows there. The URL specifically to the bulletin is http://www.microsoft.com/technet/security/bulletin/ms05-052.mspx

    -Christopher

    I think he ment that he can not download in another brower other than IE, but thats not what I see. Since no validating on these hot fixes. But on others yes it seeems you must be running IE to download as you can only validate using IE. :(

    Will

  10. Anonymous says:

    You can download on a non-IE browser; I use Firefox all the time. You have to download GenuineCheck.exe and run it.

    And security patches don’t require this anyway.

    But yes, you can’t run Microsoft Update without IE, which was what I think the original correspondent wanted; a standalone EXE version of Microsoft Update.

  11. Anonymous says:

    Is this security update any more stable than the last. When I installed the Cumulative Security Update for IE6, KB896727 on my W2K machine it disabled Windows Update. The only advice from MS that actually worked was to disable my firewall and and anti virus software (hello??). So before I spend another day contemplating wringing Mr Gates’ neck, can anyone let me know if there are any ‘known issues’ installing this on my machine?

  12. Anonymous says:

    Richard, Will, Bob: The IE team doesn’t own Windows Update or Microsoft Update so this isn’t the right place to ask about supporting other browsers on those sites. I’m not sure if the WU/MU guys have a blog but if they do perhaps you could ask there.

    Greg: We install & test all our packages on a variety of IE/OS combinations including IE6SP1 on W2k. For us it never disabled Windows Update and we certainly don’t expect you to have to disable your firewall or AV software (I think it’s as crazy a thing as you do)!. I would install an anti-spyware app and see if there’s something interfering with your system because your situation is not something we have seen nor expect. This security update has been similarly tested and should work with all major AV and firewall applications as well.

    -Christopher

  13. Anonymous says:

    Could you give us a hint as when Internet Explorer 7 Beta 2 will be available? I thought today?

  14. Anonymous says:

    Got a couple of slight suggestions about the blog itself (wasn’t really sure where the go, so I just decided to put them here.

    1) Why is the comment box down here at the bottom of the posts. Now, I’m not sure if this has already been blogged about, and I know it doesn’t really matter with about only 13 comments, but I’ve seen topics that have had in excess of 500 comments. Surely it would be more logical to put the comment box straight under what the IE team have written. If people then want check out what someone else has written they can simply scan down as required.

    2) Could you please put in some kind of a preview funcuntion, as the formating in the comment box does not always match up with when you finally post the comment.

    Thanks for your time.

  15. Anonymous says:

    Hopefully, this should take care of bugs being taken advantage of by attackers to inject a XSS, like this one

    http://ha.ckers.org/xss.html

  16. Anonymous says:

    <<Hopefully, this should take care of bugs being taken advantage of by attackers to inject a XSS, like this one >>

    XSS bugs are bugs in webpages, not Internet Explorer.

    The page you mentioned describes how to bypass weak script-injection mitigations often attempted on the server.

    Stronger approaches to mitigating script injection on the server call for rendering untrusted HTML in a RESTRICTED iframe on the client, and using a RegEx to PERMIT only trusted constructs and DENY everything else. See "Writing Secure Code" for an explanation of why AllowLists are safer than BlockLists.

  17. Anonymous says:

    <<Hopefully, this should take care of bugs being taken advantage of by attackers to inject a XSS, like this one >>

    XSS bugs are bugs in webpages, not Internet Explorer.

    The page you mentioned describes how to bypass weak script-injection mitigations often attempted on the server.

    Stronger approaches to mitigating script injection on the server call for rendering untrusted HTML in a RESTRICTED iframe on the client, and using a RegEx to PERMIT only trusted constructs and DENY everything else. See "Writing Secure Code" for an explanation of why AllowLists are safer than BlockLists.

  18. Anonymous says:

    How’s IE coming along? We want info!

    Why so much inactivity lately?

  19. Anonymous says:

    Hi, "Hi".

    I suspect the comments field is on the bottom on the theory that you’ll want to read others’ comments and determine if what you have to say is useful, or if it’s redunant and has already been covered.

    I couldn’t possibly agree more regarding the preview option. That’s doubly important since there’s no indication of how comments will be formatted. For example, some weblogs require you to explicitly specify paragraph breaks with <p></p>; others ignore them, and others display markup as plain text. There’s no indication of how this blog behaves until you’ve already posted what you’ve written. That seems to be a broader issue with MSDN blogs, though, not this one specifically.

  20. Anonymous says:

    Hi, Craig

    Finally came up with a better name, but don’t ask me how I went from ‘Hi’ to ‘Serious Sam’ – not quite sure myself, lol.

    I guess you have a point with the box being at the bottom, since it did make replying to your post a lot easier, and it probably does help cut down on the redundant comment thing – although apperently not when someone gets on a topic like ‘MSFT is just copying firefox or opera, shock, horror, and all the rest’ I’m going to assume though that comments like that are like yawning – once someone has started everyone else seems to follow suit, lol.

    Anyways, about the preview function, I know this might be wishfull thinking, but maybe they could introduce it with some kind of a spelling checker, lol. I’m not sure if this is possible, but it’s just I think I’ve seen it in a couple of other blogs and it picked up on what would have otherwise been some very embarrassing mistakes, lol.

  21. Anonymous says:

    @Eric Law,

    If you have followed up the link…

    "Embedded tab to break up XSS. This works in ‘IE’ and Opera. Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work."

    "Okay, I lied, null chars also work as XSS vectors in both IE, Netscape 8.0 in trusted site mode and older versions of Opera, but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char)."

    "Here is a little known XSS attack vector using null characters. You can actually break up the HTML itself using the same nulls as shown above. I’ve seen this vector bypass some of the most restrictive XSS filters to date (again, only works in IE, Netscape 8.0 in trusted site mode and older versions Opera):"

    "IMG Dynsrc (works in IE):"

    "IMG lowsrc (works in IE):"

    "BGSOUND (works in IE):"

    "VBscript in an image:"

    "Div expression (IE only) – a variant of this was effective against a real world XSS filter using a newline between the colon and "expression""

    "STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts)"

    "IMG STYLE with expression (this is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop)"

    "BASE tag. Works in IE and Netscape 8.0 in safe mode. You need the // to comment out the next characters so you won’t get a JS error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work)"

    "OBJECT tag (IE only, but if they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:"

    "UTF-7 encoding – if the page that the XSS resides on doesn’t provide a page charset header, IE (with charset auto recognize enabled) or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one)"

    Note the two chars, ‘IE’.

  22. Anonymous says:

    I had an interesting problem with this patch. It didn’t just break the ActiveX for Windows Update but it broke all ActiveX downloads and running ActiveX controls in IE on my box. I work in Microsoft Content Management Server 2002 SP1 and I had to uninstall this patch in order to work with the ActiveX control that MCMS uses.

    Thinking that I simply had a bad application of this fix, I uninstalled in and reinstalled. When applied, I cannot get my box to interact with ActiveX controls in IE at all.

  23. Anonymous says:

    Same thing happened to me…

    It wiped out Active X and all my plugins (I can’t even get Flash Player to run or download now). I can’t connect to Windows Update now either :

  24. Anonymous says:

    Same problem here on a W2k3 server, yet it doesn’t seem to be a problem on W2k or XP (home or Pro) for me. Is it related to a combination of other software? There really isn’t much on the 2k3 server to conflict with, but most of it is on the other machines noted and they seem fine. The only standout being MailEnable Pro.

  25. Anonymous says:

    I lost ActiveX after installing 896688 and got it back after uninstalling.

  26. Anonymous says:

    So, now its been over a week where I have been uninstalling 896688 over and over. My box keeps getting restarted in our network and re-installing the patch. I’m starting to be at my wits end about this whole thing since I need to use Active X controls for my daily job.

  27. Anonymous says:

    Cale, simplest (but maybe not the safest) option is to disable auto updates. The server I mentioned earlier is a webserver, so we don’t want it to keep going down to reinstall an update we then have to uninstall.

  28. Anonymous says:

    Solution from Microsoft at long last!

    Step 1. Install KB896688 again.

    Step 2. Import related registry keys.

    ==============================

    1. Click Start, click Run, type: NOTEPAD and press Enter.

    2. A notepad will pop up. Please copy and paste all the following content into the notepad:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOTCLSID{0000031A-0000-0000-C000-000000000046}]

    @="ClassMoniker"

    [HKEY_CLASSES_ROOTCLSID{0000031A-0000-0000-C000-000000000046}InprocServer32]

    @="ole32.dll"

    [HKEY_CLASSES_ROOTCLSID{0000031A-0000-0000-C000-000000000046}ProgID]

    @="clsid"

    [HKEY_LOCAL_MACHINESOFTWAREClassesCLSIDCLSID]

    @="{0000031A-0000-0000-C000-000000000046}"

    3. Click File, click Save As, type the name:FIX and save it directly to the desktop.

    4. Go to desktop and find the file FIX.txt. Please rename the extension .txt to .reg.

    5. Double click the FIX.reg to import related registry keys. Choose Yes to confirm.

    Now let us restart the computer and test the issue again.

  29. Anonymous says:

    I tried the solution described in the previous comment, but it doesn’t work. The ActiveX controls in question are not running in IE – are additional registry entries required to handle this case?

  30. Anonymous says:

    This update broke my Dell Inspiron 5100 running XP SP2. I wish Microsoft would pay me a nominal $10/hour for all the hours I spent screwing around trying to find the source of the problem. I finally use a month old image of the drive and everything was working again UNTIL I allowed the Automatic Update to do its thing. I guess it was the Active X function that I lost since that best describes the things that were broken including System Restore. I uninstalled KB896688 and behold, everything was back to normal.

    When will Microsoft fix this upgrade since I keep getting nagged to install it?

    Rick

  31. Anonymous says:

    I just finished a long call to Microsoft. The problem with Active X and this update is known to them but a fix has not been determined.

    Microsof Support for Security Updates is FREE!!! Call them at 866-PCSAFETY. The more people that call and help them troubleshoot this problem, the sooner they will figure it out and fix it.

    I ended up speaking with a very nice lady in India who seemed very knowledgable. We tried a number of things including a Registry Edit with no success. She said I should be getting an Active X permission bar but I am not. She is kicking the problem up to her Research Dept for resolution. They assigned me a Case Number and I got an email confirmation with her email in case I need to follow up with her. Stay tuned.

    Rick

  32. Anonymous says:

    I’m running Win2k Pro here at IBM, and this update (which I am required to install) does the following:

    1. Windows Update fails.

    2. Add/Remove programs control panel fails with a script error and does not list programs to uninstall.

    3. Viewing folders as "web folders" instead of classic shows only a small broken image and fails to list the contents of the folder.

    I have to manually find the uninstall files for this patch, reboot, and everything works fine again until IBM’s utility forces me to upgrade and hose my computer again. I’ve tried installing the patch from Windows Update as well as the standalone .EXE, to no avail.

    I hope they fix this sometime soon. I will get a security violation for denying a critical patch, but I can’t willingly hose my system either.

  33. Mike Dimmick says:

    I’d like to remind everyone having problems that support for security patches is free. See http://support.microsoft.com/gp/securityhome/ or http://support.microsoft.com/gp/securityitpro/

    Meanwhile, what happened to the IE7 Beta 1 patch? I note that the file on MSDN Subscriber Downloads was updated on 19 October – was this updated to include this patch? Should I redownload and reinstall?

  34. Anonymous says:

    If anyone is taking votes, I too have this problem. I have XP pro workstation with IIS personal web server loaded. XP Firewall enabled with exceptions to allow webservices out and remote desktop to specific IP block. After many hours I discovered that KB 896688 was straw that broke the camels back. I have been working with Microsoft for more than a week and they have yet to come up with an answer. Today I let them know is has something to do with the Security Update 896688. Maybe a fix will be made available soon. Has anyone tried deleting the update out of the download cache area?

  35. Anonymous says:

    Same problem with my system disabled flash and prevented any active x object from being displayed even after resetting all IE security options to default. After uninstalling patch issue was resolved.

  36. Anonymous says:

    Same thing happened to me…

    i uninstall Cumulative Security Update for Internet Explorer (896688)

    and now it runs

  37. ieblog says:

    I deleted the comment of someone who posted external links that weren’t relevant to this blog thread (pointers to 3rd party sites offering ‘free software’). Please keep topics/psots/links relevant. Thanks.

    -Christopher [MSFT]

  38. Anonymous says:

    I noticed that someone posted a similar issue above. I have read the KB article on this update and I can tell you it doesn’t make any sense (to me). Would it be possible to post only the hotfixes that are new since the last IE update? The build of this machine was done on 8/25 which is that date of the last update. I opened it today to install the remaining hot fixes. As I stated above I have all other patches installed.

  39. Anonymous says:

    I installed this update on a Windows 2003 Server and it broke the Windows Update Active-X. The control loads, but seems to be unsuccessful at connecting to Windows Update through a firewall/proxy server. I have installed and uninstalled the patch, so there is no doubt what is causing the problem. All other security updates have been installed.

  40. Anonymous says:

    Microsoft Research Dept called about my case and reported that they are having many reports of problems with this update and will withdraw it and replace it with another one.

    Rick

  41. Anonymous says:

    Rick! If this gets resolved for you, please post here. I have been reading your posts and am eagerly awaiting a fix or for them to dump that update from Windows Update so I can patch my box. I don’t want to have to rebuild it.

    Cale