IE December 2005 Security Update is now available!


The IE December 2005 security updates are now available! This group of security updates is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates available via the new Microsoft Update. I would encourage you to upgrade to Microsoft Update if you haven’t already.

Information about the IE Security update can be found at: MS05-054 – Cumulative Security Update for Internet Explorer (KB# 905915)

This security update package contains fixes for the following vulnerabilities:

  • File Download Dialog Box Manipulation Vulnerability – CAN-2005-2829
  • HTTPS Proxy Vulnerability – CAN-2005-2830
  • COM Object Instantiation Memory Corruption Vulnerability – CAN-2005-2831
  • Mismatched Document Object Model Objects Memory Corruption Vulnerability – CAN-2005-1790

Details on the vulnerabilities and workarounds can be found at http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx.

This is a “Critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1. All IE security updates are cumulative and contain all previously released patches for each version of IE. Security Updates for IE7 Beta 1 users on XPSP2 and Vista Beta1 are not available today, but will be available on BetaPlace within the next week.

I encourage everybody to download these security updates and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to turn on automatic updates for their systems to download updates more easily.

 – Charles Watanabe

Comments (36)

  1. Anonymous says:

    I’m glad you knocked those out, but seriously:

    http://eeye.com/html/research/upcoming/index.html

    Why do these take so long to fix?

  2. Anonymous says:

    To LXer: Maybe because that Sony/First4Internet thing really WAS as bad as believed. Not to mention that Sony’s own patch was apparently bad (search around, I’m lazy right now…). Or maybe they just wanted the patches to work.

    Comment preview would be nice, but I guess we should wait for THAT update too.

  3. Anonymous says:

    – Charles Watanabe

    …is that really your lastname?

  4. PatriotB says:

    I’m curious about the COM Object Instantiation vulnerabilities. There’ve been several patches for this, each covering more and more CLSIDs. There hasn’t been any real good explanation of what causes this, has there? It’s bugs in the specific COM objects themselves, right? Like crashing when QueryInterface’d for IObjectSafety?

  5. Anonymous says:

    <<I’m curious about the COM Object Instantiation vulnerabilities.>>

    PatriotB– http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx describes the problem in some level of detail, but yes, misbehaving COM code is the general gist of the problem.

    We’ve used "killbits" to prevent known vulnerable code from running, and we’ve locked down what objects are eligible to load as described here: http://blogs.msdn.com/ie/archive/2005/11/04/489256.aspx.

    The ActiveX Opt-in feature for IE7 (mentioned here: http://blogs.msdn.com/ie/archive/2005/09/13/465338.aspx) goes a step beyond even what we’re doing in IE6 for even better defense-in-depth.

  6. Anonymous says:

    I know this isn’t the right place, but I have a small bug in IE7 beta1:

    Every time a new instance of IE is started up it creates a temporary file in $userLocal SettingsTemp of the form wwwxxxx.tmp and doesn’t delete it.

    I noticed huge startup times and hard drive grinding, which turned out to be iexplore.exe looking for a new temporary file name and colliding with existing ones thousands of times until it found one.

  7. Anonymous says:

    Today after installing the latest patches I detected a problem on IE 6.0.

    When I do a click with the right button of the mouse and select the option to "Open in New Window" it makes some sort of screen flick but does not open the link or the new window.

    I’ve detected this also to be true on links that open it self on a new window.

    Anyone else detected this?

    This is a recent Windows XP install with SP 2 and all updates. Its been working for about 2 weeks with no issues until today.

    regards

  8. Anonymous says:

    I have also seen bugs with path 905915:

    * opening an Internet shortcut from Windows Explorer opens a blank IE window, which then hangs;

    * typing a URL in the "Start -> Run" dialog box opens a blank IE window, which then hangs;

    * clicking the "More Information" link in the Windows Error Reporting dialog opens a blank IE window, which then hangs;

    * typing a URL in the IE address bar opens that URL in a new window;

    * opening an Internet shortcut from within IE either opens the link in a new window, or causes IE to hang;

    * right-clicking on a link and choosing "Open in new window" results in two new windows, one with the link and one blank;

    This is on XP SP2, fully patched, with up-to-date anti-virus and anti-spyware software running.

    Several restarts made no difference to the problems. Uninstalling 905915 fixed them all.

    http://groups.google.co.uk/group/microsoft.public.security/browse_thread/thread/6a5cc74fab6618d9/8492fb9bb63822a0

  9. Anonymous says:

    Yeah, what Richard said!

    * Items in the Links toolbar now open in a new window.

    * Clicking the "Home" button (set to "about:blank") causes an error dialog, followed by 55 (!) new blank IE windows. The error dialog doesn’t pop up the second time, otherwise I would have copied down the message.

  10. Anonymous says:

    same problem as Richard describes over here (Windows XP x64, but happening with 32bit IE only)

  11. ieblog says:

    I have just tried all of the reported scenarios on a fully patched machine and cannot reproduce any of the problems. Everything works as expected with none of the issues reported showing up.

    I’ll forward your reports to the appropriate parties internally but, so far, I cannot reproduce them and these are the only problem reports so far.

    – Al Billings [MSFT]

  12. Anonymous says:

    Maybe the problems are related to other installed things? For example, I have the Developer Toolbar as well as Mouse Gestures for IE installed.

  13. Mike Dimmick says:

    Just a reminder that MSDN subscribers may have downloaded IE 7.0 Beta 1 or Windows Vista Beta 1 from MSDN Subscriber Downloads. I hope that patches will appear on MSDN Subscriber Downloads at the same time as on BetaPlace/Connect, and that this is more timely than the last round of updates, which took about six weeks to appear on MSDN.

  14. PatriotB says:

    EricLaw: Thanks for the clarification. It’s too bad these bugs are lumped under IE vulnerabilities, when they really aren’t. The CLSIDs could fail with other COM clients, e.g. Word. Are the underlying bugs in the components (the Microsoft-owned ones, at least) being fixed as well, for the benefit of other ActiveX containers?

  15. Anonymous says:

    > I cannot reproduce them and these are the only problem reports so far.

    I can confirm (some of) the errors mentioned above as well:

    * Opening link from Outlook give blank page with popup-error and second page with correct info.

    * Typing url in addressbar opens atleast one new, blank page (sometimes more) with popup-error and another new page which loads the URL requested.

    Errormessage starts with "Windows cannot find ‘(null)’"

    Other people mentioned that typing a new url in addressbar with anoth browser as default browser opens a new window in the other browser.

  16. Anonymous says:

    I can also confirm all of the symptoms in the google link provided.

    Also this is effecting people here at my office that have installed the update (via WSUS)

    FYI.. All users to date are running W2K3 x86 SP1, IE6. I am running W2K3 x64 SP1 IE6.

  17. Anonymous says:

    Strange to hear about those patch problems. I installed it here at my office ~100 pcs, and at home, and everything is normal as usual.

  18. Anonymous says:

    I can confirm that most (but not all) of the computers in our office are having the same problems.

    Some things that are NOT common among the affected machines:

    – Having firefox installed

    – IE Dev tools installed

    – running the update manually or through automatic update

    It appears that the when a URL is somehow "executed", it is opened up in a new browser window using the SYSTEM default browser. Meaning that those who default to firefox are having URL’s typed into IE being opened up in firefox (you can imagine the "this IS more secure" jokes from that crowd).

    This happens even when it is clicked on in links or favorites, or doubleclicked from the desktop.

  19. Anonymous says:

    One more thing…

    When "Reuse windows for launching shortcuts" in IE is checked, all of the systems hang or otherwise do bad things when a URL is launched.

    When it is not checked, they all have the problem mentioned above by Richard

  20. Anonymous says:

    I applied the patch to 3 machines. I suppose i’ll join the "No Problems Here" club.

  21. Anonymous says:

    I think <a href="http://groups.google.co.uk/group/microsoft.public.security/browse_thread/thread/6a5cc74fab6618d9/8492fb9bb63822a0#msg_c6026a80effd1e63">this guy</a> is right.

    I’d suggest anyone having problems check their machines with MS AntiSpyware _and_ *good* antivirus software (like NOD32 from Eset).

  22. Anonymous says:

    Samme problem here, running updated antivirus (symantec) and MS antispyware software. Fully patched danish XP SP2 with google toolbar and dev toolbar installed. Had to uninstall the patch.

  23. Anonymous says:

    I have run a full virus scan with a fully up-to-date copy of Sophos AntiVirus 5.1.1, which found nothing.

    I have MS AntiSpyware Beta installed and running, and have run a full system scan, which found nothing.

    I have run a full scan with an up-to-date copy AdAware SE, which found nothing.

    I have disabled third party browser extensions. I have reviewed the list of IE add-ons, and there is nothing unexpected.

    I have reinstalled the patch with my anti-virus and anti-spyware software turned off, and I still see the same problems.

    I have FireFox and Opera installed, but IE is still set as the system default browser.

    Further to my previous post, when IE hangs after typing a URL in the run box or clicking a shortcut in Windows Explorer, the requested URL opens in a second browser window after several minutes, and the first browser window becomes responsive again.

    In the hung state, there are 4 threads running. The stack trace for all threads (using SysInternals Process Explorer) ends with:

    ntoskrnl.exe!ExReleaseResourceLite+0x2b4

    ntoskrnl.exe!IoPageRead+0x892

    ntoskrnl.exe!IoGetBaseFileSystemDeviceObject+0x730

    I can post the full stack trace if needed.

  24. Anonymous says:

    Same here. Uninstalling the three patches did not resolve the issue. I hope Microsoft comes up with a solution soon.

    I had dev toolbar and MS AntiySpyware installed, too.

    Will use Firefox until this is resolved because it’s simlpy impossible to use IE with this behavior at this moment.

  25. Anonymous says:

    To all out there dealing with the Internet Explorer blank pages issue: Have you ever hit the "Home" button? Does it open like 60 IE instances on your machines, too?

    No updates from MS on this yet…

  26. Anonymous says:

    If MS *does* release a fix for the problems, how will we know about it? Just have to wait for next Tuesday, install everything. and keep my fingers crossed?

  27. William Luu says:

    Ralf, same thing happening here as well. (Many new IE instances opened when clicking on Home button).

    Noticed it after installing the updates last night and doing a reboot.

    I’ve even gone and disabled all of the IE Add ons through the "Manage Add Ons" area.

    Sometimes I get the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." or I get "An attempt was made to reference a token that does not exist."

    IE Addons that I’ve got on my machine:

    – IE Dev Toolbar

    – NILS Accessibility Toolbar

    – Google Toolbar

    – Send to OneNote (this is a button).

    So now if I accidentally click on the Home button, I just kill the IE process using the task manager. This prevents the multiple windows from loading up.

    Strange… I’ve also got the MS AntiSpyware running, Trend Micro OfficeScan running. Both up to date.

    I also notice what Nolan mentioned regarding the "Reuse windows for launching shortcuts" issue. It appears to me as if the window is constantly trying to reload something. (Probably the 60+ blank windows that popup when that option is unchecked).

    I’m running Windows XP (Tablet PC Ed), with SP2.

    Other browsers installed: Opera, Firefox.

  28. PatriotB says:

    Well, I just discovered a bug that I’m guessing was introduced by the "file download dialog" part of this patch.

    Click on some link that will download an EXE, or enter the path to an EXE in the address bar. (For testing, try http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-V1.11-ENU.exe) You will see the Security Warning dialog box pop up, and if you move it you will see the File Download box behind it. Leaving the Security Warning box open, click on the File Download box. Yikes! It starts beeping continuously, flashes the Security dialog box wildly, freezes the Security dialog box, won’t stop until you click away into another application.

    It does this on both my XP SP2 and my XP x64 systems. Yes, it’s just a minor quirk, but it really doesn’t make me feel good about the quality and testing of Microsoft patches–something like this honestly should have been caught in QA.

    Well–at least I’m not experiencing all the other problems people are posting about. 🙂

  29. Anonymous says:

    Nice catch PatriotB! Confirmed!

  30. Anonymous says:

    I have Firefox set as my default browser. Since installing this update, when typing a url into Internet Explorer or opening a link in a new window, Firefox is launched to load the url.

    The only way I’ve found to open a url in Internet Explorer is to set it as the home page and restart.

  31. Anonymous says:

    Further to the above, I’m also getting the opening ~60 blank IE windows when clicking Home issue.

    I’m running XP Pro SP2 with the Google toolbar installed. I did have the Netcraft toolbar installed too. Uninstalling it hasn’t fixed the problem.

  32. Anonymous says:

    Thanks for the information.

  33. Anonymous says:

    Since I’ve applied the december updates, I can’t use IE : when I enter an URL in the adresse bar and I click "Go", it opens a new Opera window, and I the only way I found to go to the page I wanted to go is to set it as the start page (and to restart IE, since clicking on the "Home" button of the toolbar didn’t change anything).

    My config :

    XPSP2 – IE 6

    no add-ons installed

    spyware and virus-free (according to AdAware and McAfee VirusScan)

  34. Anonymous says:

    Rather than me gloat about how it works fine and be done with it I tried something else. I installed an additional browser and set it as my default. It’s Firefox.

    It still works 100% and unable to reproduce any of the errors in the Google newsgroup. I also don’t use additional toolbars and whatnot.

  35. Anonymous says:

    All of the problems I was seeing were due to a registry key created by running IE7 Beta 1 in side-by-side mode. Deleting the registry key has resolved all of the issues.

    http://blogs.msdn.com/ie/archive/2005/12/16/504864.aspx

  36. Anonymous says:

    Above in this blog it is mentioned in quotes: "Security Updates for IE7 Beta 1 users on XPSP2 and Vista Beta1 are not available today, but will be available on BetaPlace within the next week."

    Is the patch for IE7 Beta 1 already available?

    If so, where can I download it?