IE April 2006 Security Update is now available

The IE April 2006 security update is now available! This security update is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates available via the new Microsoft Update. I would encourage you to upgrade to Microsoft Update if you haven’t already.

This update addresses 10 security issues: 8 remote code execution vulnerabilities, one information disclosure vulnerability and one spoofing vulnerability. For more information on the contents of this update:

Microsoft Knowledge Base article: MS06-013 – Cumulative Security Update for Internet Explorer (KB# 912812)

Details on the vulnerabilities and workarounds can be found at

This is a “Critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1. All IE security updates are cumulative and contain all previously released patches for each version of IE. Security Updates for IE7 Beta 1 users on XPSP2 and Vista February CTP are not available today, but will be available on Windows Update within the next two weeks. I will update the blog when these are available. I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to turn on automatic updates for their systems to download updates more easily.

 – Charles Watanabe

Comments (73)

  1. Jack says:

    what about security updates for IE7 Beta 2 Preview?

  2. Mike says:

    my thoughts exactly Jack. Maybe we’re not affected. 🙂 That would be really nice.

  3. A. Nanny Mouse says:

    With all due respect, Windows users aren’t "strongly encouraged" to turn on Automatic Updates; they’re practically forced to.

  4. lollerskates says:

    what the hell are all the UI experts there actually doing?

  5. Alun Jones says:

    @A Nanny Mouse:

    The alternative to being keen to get people on to Automatic Updates is to hear constantly that users not finding, downloading, and applying patches is somehow Microsoft’s fault.

    [It’s only Microsoft’s fault when the patches aren’t available.]

  6. A. Nanny Mouse says:

    All that’s required really is that users are regularly reminded to visit Microsoft Update, or perhaps allow lower setting of Automatic Updates to be "good enough" for Microsoft.  Surely being reminded that updates are available so they can be downloaded manually is just as good as, if not better than, having them forced on you and downloaded without your knowledge.  And what’s up with being reminded every so often, after certain updates, to restart your computer?  It’s going to get turned off eventually; in my opinion Microsoft is a joke where updates are concerned.

  7. hello says:

    can u ban those loser opensource geeks from this site

    they ruin the content

  8. George says:

    A. Nanny Mouse, you speak as one who knows how computers work.

    Can you at least TRY to understand what it’s like for those who don’t care about how computers work and just want it to do it’s stuff without having to be involved.

  9. Bennie says:

    I leave Automatic Updates on for alerts of new updates.  I don’t have my setup geared to do every little thing for me.  Microsoft Windows is geared to the computer illiterate.  The Windows product makes it easy to use a computer and easy to navigate the www.  However, with all of this "ease" comes the ability of experts to exploit those features.  The IE problem has risen from Microsoft’s desire to use IE for almost every TCP/IP application.  

    I don’t think Microsoft sucks.  However, I do think that some serious thought should be put into separating IE from the OS.  If Microsoft really needs to be able to control some aspect of the OS for updating or other processes, then another type of application, which is Windows specific, should be created.  Currently I think that Microsoft has overloaded IE with advanced process management capabilities in the name of "ease-of-use."  

    Just because you can doesn’t mean you always should.

  10. Mike says:

    Bennie, starting with IE7, IE (especially in Vista) IS actually decoupled from Win Explorer. Try to open a website in Explorer and C: in IE and see what happens.

  11. Chris says:

    "Bennie, starting with IE7, IE (especially in Vista) IS actually decoupled from Win Explorer. Try to open a website in Explorer and C: in IE and see what happens."

    Wow, that’s really good news. I haven’t done a lot of research on Vista so far and that seems like a VERY good thing. I’d try a build of Vista, but I’m afraid of letting it touch my Linux partitions, lol.

    "With all due respect, Windows users aren’t "strongly encouraged" to turn on Automatic Updates; they’re practically forced to."

    Forcing security habits on their customers? WOW! How would’ve thought? Stop being such an anti-Windows fanboy.

  12. A. Nanny Mouse says:

    George, I know how people that aren’t as computer literate as me.  Being computer illiterate doesn’t mean to say they want everything done for them.  They still want choice, and they don’t want things thrusted on them.  One person approached me telling me they wanted Windows Update to involve him more, but having his Automatic Update settings at a lower than "recommended" level causes every security program he has to tell him he must turn Automatic Updates on.  People of all technological backgrounds may want Automatic Updates to be as Automatic as the title suggests, but people of all technological backgrounds would like it to be less automated as well.  Computer illiteracy doesn’t equal incompetence.

  13. CorporateOffRoader says:

    I installed all the patches and now I need to type the fully qualified URL in the address bar to navigate to a different webpage in IE7.  I have uninstalled ie7 and even with ie6 now I cannot just type in and have it go to that page.  Worked fine before the patches, anyone have any suggestions?

  14. Rich227 says:

    I feel Windows has had to force auto updates on on Windows OS’s because of piracy and auto updates is on way to confirm authenticated copies of the OS after all I do remember my copy of 98 and 98SE were just that copied, never purchased OEM or Retail. XP is the only version of a Microsoft OS that I have ever obtained legitmatly. Unfortunatly one bad apple does spoil the bunch. I do however feel that maybe Microsoft should allow users to update when they want to but when you do it confirms an authentic OS everytime you log onto any MS web page.  

  15. Lordmike says:

    Having updates shoved down my throat is the only way for me to know that they are there. I always forget to check for updates. So on my Mac, Windows XP Pro SP2, Win 2k3 and slackware I always make sure that I get some notification of updates. Otherwise I will forget and just continue with research and games.

    So it’s a great feature even for power users and more advanced users then average joe (still no power user though) as much as it’s good for the average joe to use this.

    Choice? You always have a choice, turn it off if you don’t like it. The balloon can be turned off to, if you don’t know how then it’s not for you to remove.

  16. __hAl__ says:



    Thanks for the link and a big thanks to Daniel Glazman for that excellent review of the IE7b2 GUI.

    Allthough completly of topic here but then again there hasn’t been any decent topic about IE7 in the last 3 weeks where it would actually fit and almost noone reads topics that old again.

    I hope the IE team also read that very nice review of the GUI and manages to get a lot of those anoying GUI stuff out of the way.

  17. Thanks to lollerskates for posting the IE7 GUI related page.  I’ve been posting about it since I first saw IE7’s horrid GUI.  Glazman’s right on the point that IE7’s new spiffy features don’t matter if the GUI is inconsistent and makes no sense (mostly placement / icon choices).

  18. Bennie says:

    Mike, great news to hear that IE 7 will be taking a step to separate itself from the OS.  I have yet to play with the beta test release.  

    As for it’s disintegration, I would love to see IE 7’s usage of Active X controls and it’s modification of the "5 zones of security."  I’m sure most of us here understand the 5 trust zones set up within the Microsoft networking architecture.  

    Not to be discouraging, the integration features go far beyond the navigation of the address bar.  I guess I’m just skeptical of Microsoft’s ability to reduce the role of IE since it’s been so long since a new release of the OS.  This has impeded developers as well.  No new OS means a stall for all Microsoft products.  This includes a new edition of Visual Studio .Net, the primary development suite for ActiveX and .Net internet programming.

  19. Fiery Kitsune says:

    After the update, I’ve been getting severe tab-bar lag on Shift-JIS message boards like 2ch. The tab-bar freezes every time I refresh.

    Another thing that I am noticing is that online college course applications like WebCT are very slow to load, especially the discussion boards.

    These problems manifest themselves to an extent in Firefox, but I’m seeing it in the latest public IE7 build. I have a 10Mbit college connection, is this normal for huge webpages to do this?

  20. Couldn’t this have been released a fortnight ago, when the exploits started appearing? Unless you’re seriously trying to tell me that it takes a company with 61,000 employees (I know not all of them work in IE, but still!) nearly a month [after the discovery of the flaws] to produce these simple code changes, when several small third-party developers did it in days?

    I hate to evangelise, but that’s one of the reasons so many people are dumping IE – on the three occasions (that I can remember) where serious flaws were discovered in Firefox, Mozilla had a fix (or at least a temporary stopgap) released with 48 hours on each occasion. And Mozilla has a lot less programmers than Microsoft!

  21. ReleaseIE7 says:

    "I hate to evangelise, but that’s one of the reasons so many people are dumping IE"

    Yes, should we count the others?

    PUT OUT IE7.  Can you not see the public is tired of waiting on it?

  22. Xepol says:

    Speaking of updates, something to check for the next IE 7 b2 update, the videos at channel9 don’t resize when you zoom the page LARGER than 100%.

    Instead, you get the same size video centered in the larger area.  Oddly, if you zoom to 10%, it scales down.

  23. Fiery Kitsune says:

    I bet the IE Team doesn’t care that major universities have switched to Firefox as the browser of choice.

  24. Rich227 says:

    I noticed a big problem with IE7 I can’t run  some scripts in Norton Internet Security 2005 for example I click configure in Antispam I get an error message for scripts asking me if I want to continue running script doesn’t matter screen is still blank whether yes or no. I uninstalled and went back to IE6 and the scripts run fine anything I can do to get the scripts working with IE7? Email me at Thank You

  25. EricLaw [MSFT] says:

    @Rich: The problem with the scripts in NIS2005 is a known issue that we are working with Symantec on.  It will be fixed in a future build.  

    Apologies for the inconvenience.

  26. Vince P says:

    To CorporateOffRoader :

    Thanks for your post.. I thought my system was FUBAR.  Now I know I need to type http://

  27. Fduch says:

    It’s funny.

    The testers of the LAST IE7 beta have to live with dozen of newly-introduced silly critical bugs (like not working back button and problems changing keyboard layout) while many non-testers are clever enough to find and install more recent build. Of course testers are last to get the betas.

    (It happened with Vista too. The first ones to get Vista5308 were warez users, because Connect was down for hours).

    And now the people from IE Feedback say "This database is for feedback on IE7, not the site. We do not control or build the Connect site and have no ability to change its design."

    Where the world goes….

  28. MZ says:

    I’ve just downloaded the windows security updates and now my IE 7.0 B2 version address bar doesn’t work when I type in – why is that???

  29. ieblog says:

    The "people from IE Feedback" is me and you submitted an IE7 bug complaining that the Feedback page doesn’t show issues in a manner that you like.

    We don’t control the way that the MS Connect site functions, it is a template based system. It isn’t an IE7 issue, which is the point of the site after all, so I closed the bug.

    – Al Billings [MSFT]

  30. Rich227 says:

    @EricLaw Thanks I will most certainly wait for the new build. I so far enjoy IE7

  31. Fduch says:

    @Al Billings Thanks for the answer at least 🙂

    And what about new build? (I mean >= 5358)

  32. ieblog says:


    We know people want a more recent build. Because no dates have been announced, I’m not in a position to say when one will be available but, trust me, we hear that people want a newer build loud and clear.

    – Al Billings [MSFT]

  33. Tommy C. King says:

    Hi there, maybe this is not the right forum, but does this or IE 6.0 SP1 carries the new Newwindow 3 function?  I can find it on XP SP2 and Windows 2003 machines but I think it’s not available in XP SP1.


  34. John OC says:

    Thanks for the link to the GUI article.

    I almost went straight back to IE6 when I saw the new GUI.

    The lack of configurability makes it look like a half baked student excercise rather than a serious industrial strength browser.

    It should be possible to setup the toolbar buttorns along with the Stop/Refresh and back/forward buttons.

    Come on MS – tell me you can do better than that….

  35. Makoto says:

    It’s not related to this topic, but I have a question.

    How can I change the background of a feed page? I want to change the background from the graduated one to plain solid-color.

    It’s very slow to scroll a feed page with a  poor video card (because of the background, I think).

  36. Fduch says:

    What do you think of making all IE controls i.e. back/forward, address, search, favourites, quick tabs and command bar buttons customizable like toolbars in Visual Studio?

    I mean I want for example to move favourites and stop/refresh buttons next to back/forward; to move command bar to the same line with classic menu or after search field.

    Will this ever be possible?

  37. Um.... says:

    "We know people want a more recent build."

    People don’t want just a recent build the entire online community is calling for a whole new browser.  When are they going to get what they are asking for?

  38. ieblog says:

    IE7 will be released when it is read, Mr. Um… We haven’t even had the second Beta yet so you should expect that first.

    – Al Billings [MSFT]

  39. Xepol says:

    Al Billings [MSFT] -> Can we assume that you guys know about the forward/back buttons not working correctly anymore or do you still need a repeatable case for it?  Any hope that this bizarre new bug will be fixed in the next release?

    Frankly, it drives me insane, I go forward/back a LOT (or, at least I used too anyways)

  40. ieblog says:


    Did you search the public bug database for this issue? It is issue 53998 there, one of the first logged. 🙂

    It is actually a combination of several issues, which is why it only shows up on certain kinds of sites.

    – Al Billings [MSFT]

  41. Xepol says:

    Al -> Next time maybe it would be good to put an item in the help menu to link to the public bug database.  Now I gotta go hunt it down and see if the times-out in the flash bug is listed too.

  42. Xepol says:

    Al, actually it’s bug 53540. (browse sequence fails to update randomly, probably the same bug however)

  43. ieblog says:

    Actually, one I look on my end, 53540 is duped to the one that I mention. The site just shows the same resolution as the one I duped it to.

  44. Xepol says:

    Al -> ya, they show as fixed for the next release… WHICH MS SHOULD SHIP SOON!!!

    Ok, here it is.  Go back, read my previous blog comments.  Except for cleartype, I was pretty upbeat and positive about IE7.  Since the latest march 20 release however, I have had to install FIREFOX of all things on my machine just to make sure I could get my browsing done. Oh, I suppose I could uninstall IE7 and go back to a 5+ year old browser, but frankly, I would rather stick with firefox for the new features I’ve learned to enjoy than do THAT.  

    Frankly, Firefox is not my browser of preference, but the march 20th release was such an utter load of, er, cow-recycled-grass-trimmings (I assume that "passes" muster) that it is starting to look attractive in comparison.  It is here, it has the features (and I few I’ve asked for in past postings), and its stable already.  What the heck happened with the March 20th update?  Is this some big psychology test to see what consumers will tolerate?

    Please, PLEASE communicate to the whole IE team that we all need a new, updated, STABLE release (Beta 1 and the first preview were the rock of Gibraltar in comparison!) SOON!

    Just don’t call it IE 7 beta 2 post refreshed preview update, ok?

  45. Xepol says:

    ieblog -> technically they are different aspects of the same root bug, so I can see how they got reported seperately.

  46. Fiery Kitsune says:

    IE Team…

    I am very disappointed that you guys won’t be putting site headers in address bar pulldown…

    Why won’t this be in IE7? It will significantly improve the browsing experience of IE.

  47. EricLaw [MSFT] says:

    @Tommy– NewWindow3 is only available on platforms with the IE popup blocker; hence it’s not in XPSP1.

    @Xepol– "What the heck happened with the March 20th update?  Is this some big psychology test to see what consumers will tolerate?"

    No, March 20th was all about Web Developers, not consumers.  The March 20th rendering engine was layout complete for IE7, and webdevelopers rightly demanded it ASAP so they could have plenty of time to check out their CSS etc.  I assure you that we’re just as frustrated as you are and we’re eagerly looking forward to shipping the Beta-2 build, which is targeted for a wider audience.

  48. EricLaw [MSFT] says:

    @Fiery: When you say "Site headers" are you referring to the TITLE tag?  

    It’s a fine suggestion, but something we simply don’t have time for this time around.  Fear not, you’ll see the next version of IE a lot quicker than it took to get this one out.

  49. Sonn says:

    Can’t wait for the new outlook express 7, i know it has nothing to do with ie.  I do like using the new ie7!!!

  50. Fiery Kitsune says:

    Yes, I was referring to the TITLE tag. Sorry, it’s almost 3AM…

    "Fear not, you’ll see the next version of IE a lot quicker than it took to get this one out."

    I take it you guys are gonna be exhibiting some artistic liberty with IE7.5… The chains of Win9x must’ve been very heavy. Too bad us XP users aren’t gonna be able to run it.

  51. Fduch says:

    I want to know your opinion.

    What do you think about IE ability to save animation in plain bmp files.

    Just look at this (small gif) and try to save it.

    Yeah this technology is awesome. It even thinks of a fancy name for the image depending on the IE’s locale.

  52. Fduch says:

    Well maybe it will really work for some of you, but There are many sites with pictures that IE doesn’t want to save in original format.

  53. ajo says:

    Program to detect errors.

    More info..

    Do you (at Microsoft) also use data fuzzing to test on (possible) errors for IE7? This method can prevent a lot of security updates in the future.



  54. Chris says:


    Is it possible to download these updates as an exe or msi file, which can be put on a USB pen drive and loaded from that?

    I have a family member who doesn’t have broadband, and I’d like to be able to take the updates to him.


  55. Xepol says:

    EricLaw -> How does a browser that can’t load webpages from an INTRANET because it times out so fast help webdevelopers?  Trust me, the mark was seriously missed here.  Worse, totally non-sense bugs were introduced.  Nothing that makes ANY rational sense should have mangled the browser back/foward buttons the way it did, nor should it have screwed up the ability to track the toolbars properly (all things that were 100% stable since forever previously).

    BASIC functionality was totally trashed in that March 20th release.  Things that had NEVER been broken in any previous release, EVER, and certainly have NOTHING to do with how a page is rendered (except that you can’t render a page you can’t load or skip over as you click the back button)

    Seriously, web developers need to be able to load pages reliably, they need their browse sequence buttons to work properly so they can walk the sites they are testing.

    Everyone, even the webdevelopers, need these problems fixed and an update shipped.  If the march 20th release was meant only for web developers, you STILL need to give them a browser that can reliably load pages just so that that problem doesn’t mask other issues.

  56. Xepol says:

    Fduch -> I’ve seen a machine with IE6 get the bitmap only problem you’ve described and I never did figure out how to fix it, and couldn’t find anything about it at the time.  The problem was resolved by reinstalling the computer when the motherboard burnt out.

    I suspect you might want to do the same (reinstalling, not burning out your motherboard that is)

  57. Sorry if this is a bit off-topic, but this and the other post about the update have the same timestamp and they seem to be switching order every now and then, thus confusing my feed reader into thinking this blog has been updated.

  58. ieblog says:

    I’ve fixed that now, David.

    – Al Billings [MSFT]

  59. ieblog says:

    Spamming posts with off-topic comments about how you don’t like your bug being closed is not a good use of anyone’s time and isn’t appropriate.

    – Al Billings [MSFT]

  60. Xepol says:

    Al -> uh, who are you replying to about closed bug issues?

  61. ieblog says:

    Xepol, I deleted it because it was spam on this post. Generally, when I delete a comment, unless it is simply spam spam, I acknowledge it and say why I deleted it.

    – Al Billings [MSFT]

  62. Fduch says:

    WoW. found that small update and now enjoying back/forward in 5358.

    Though the reyboard layout bug is still there.

  63. cjrecker says:

    I got this latest update and since then, when I type into my internet explorer v6 address bar, it does absolutely nothing. I had to restore my system to it’s previous state to get anywhere. Is there a fix for this or should I uncheck one of the boxes for this newest update and try it again?


  64. lemonheaded says:


    For some reason, some of us now need to type the entire URL (ie, into the address bar, whereas before, or something similar worked.

    I’m trying to find a fix for this myself, which is what led me here.

  65. ieblog says:


    The problem is probably the one detailed here:

    This is caused by Hewlett-Packard’s Share-to-Web software.Hewlett-Packard’s Share-to-Web software.

    "The MS06-015 (908531) ( security update includes a "white list"; VERCLSID.EXE will not scan any extension that appears on this list. Adding the HP shell extension corrects the problem."

    – Al Billings [MSFT]

  66. c says:

    Thanks Al – I just spent an hour on the phone with my father trying to fix his computer.  It is the problem described in the kb918165, so I hope that will work for us.

  67. Sam says:

    I can’t add http: sites to my restricted sites zone anymore.  It keeps says that I can only add https: sites.  when did that change?

  68. After this update I’ve been getting reports like the one below. These crashes are causing us a bit of a support problem:

    "Member having trouble accessing forum. She is getting a message about having to install activex or something. Any ideas on what the problem could be and how I can help resolve this? She has never had trouble before, it just started happening.

    I am now getting the error as well, and so are more members…

    It’s a pop up that says Click to run an ActiveX control on this page and has an okay button to click or the corner x to close.

    If you click the x you get The Internet Explorer has encountered a problem, and needs to close Error popup with the option to send an Error Report or not. Then explorer shuts down. If you choose ‘okay’ sometimes you can access the forum and sometimes you get the Error Report thing again. More often than not you get the error report. I can access the forum with Firefox, so I am able to communicate with the members who are not yet having problems, but I do not know what the problem is or how to resolve it."

  69. cjrecker says:

    Thank you, Al. I will edit my registry as I do have that HP software. I appreciate the help.


  70. cjrecker says:

    Okay, I did what the microsoft support said, but it still doesn’t work. I have to type the http:// before I can get to a web page instead of just www. Is there more help for my problem?

    Thank you


  71. cjrecker says:

    I took care of the problem. I deleted the HP share to web program as I never used it anyway. It worked!



  72. Mary says:

    We have had issues with an MS-Access form.

    Out of 8 systems, 1, mine with XP hasn’t issues, 6 other XP systems are having an issue, and 1 Win2K system is having no issues.

    It’s a dialog prompt for userinput to run a query and open a form- a simple do cmd form open. Any insight on this? There is a KoFax scanner loaded on 1 of 8 the systems.

    I’m able to open it on my XP system with SP1 but other XP users who’re up to date on their patches no longer have been able to open the form.

    I looked at the various newsgroups but did not find anyone with a similar problem. Corruptions in data.

    Anyway, took a look at this article

    and hoped you might point me in the right direction.

    Thanks in advance for your input.