IE June 2006 Security Update is now available


The IE cumulative June 2006 security update is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update and I encourage you to upgrade to Microsoft Update if you haven’t already.

This update addresses 8 security issues: 5 remote code execution vulnerabilities, one information disclosure vulnerability, one information disclosure/spoofing vulnerability and one spoofing vulnerability. For more information on the contents of this update, please see:

Microsoft Knowledge Base article: MS06-021 – Cumulative Security Update for Internet Explorer (KB# 916281)

Details on the vulnerabilities and workarounds can be found at http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx.

This is a “Critical” update and affects all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1. IE security updates are cumulative and contain all previously released patches for each version of IE. These security updates are already contained in IE7+ in Windows Vista Beta 2.

Also, there is a security update to resolve a remote code execution vulnerability in AOL binaries that shipped with Windows and IE. For more information on the contents of this update, please see:

Microsoft Knowledge Base article: MS06-022 – Vulnerability in ART Image Rendering Could Allow Remote Code Execution (KB# 918439)

Details on the vulnerability and workarounds can be found at http://www.microsoft.com/technet/security/Bulletin/MS06-022.mspx.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest patches from Microsoft.

 – Charles Watanabe

Comments (22)

  1. Kelson says:

    <i>"These security updates are already contained in IE7+ in Windows Vista Beta 2."</i>

    What about IE7 beta2 for Windows XP?  Is it unaffected, or are the fixes going to be in the next beta/rc?

  2. It`s good that windows Vista rileases.More aktions are make automatic.Thats good.It left more time to do things(work).E.V.

  3. Ronald says:

    Okay, this is totally off topic, but today I am going nuts with this.

    What registry key do I have to set, to DISABLE (in IE6 & 7), the "activescript" warning bar, for files loaded on the "localhost" / c:, d:, etc.

    As a developer, I am ALWAYS testing out concept code, from a local file, to test something. I ALWAYS want to run JavaScript, ALWAYS!.

    If for some reason, there isn’t a key, can someone please ADD one for IE 7.

    Better yet, split it out into multiple options, in the Options dialog.

    +- Developer settings ———————-

    | Disable the script warning bar, for the local | file system for:

    | [_] JScript

    | [x] VBScript

    | [x] Active-X

    |

    +——————————————-

    EVERY test file I open locally, contains JavaScript, and NEVER contains VBScript or Active-X, as such, this warning bar is EXTREMELY ANOYING!

  4. Ronald says:

    oops, rendering should be…

    +- Developer settings ———————-

    | Disable the script warning bar, for the local

    | file system for:

    | [x] JScript

    | [_] VBScript

    | [_] Active-X

    |

    +——————————————-

  5. Mike Dimmick says:

    Ronald: Tools, Internet Options, Advanced tab, under Security check ‘Allow active content to run in files on My Computer’.

  6. Larry says:

    So could someone comment on whether there will be a refresh of the "standalone" beta to incorporate the June 13 patches, or is a refresh not necessary?

  7. cao_zacarias says:

    Em Paredes de Coura, coração do alto Minho e terra de boas gentes, há muito de que falar. Para isso foi criado um blog.

  8. EricLaw [MSFT] says:

    @Larry: Beta2 of IE7 standalone had a significant number of bugfixes that weren’t in IE6 and earlier betas (and hence needed to be patched in Jun13 patches). We will continue delivering fixes with IE7 Beta3 when it’s released later this summer.

  9. Steve says:

    Just a comment on the automatic security updates…

    When I installed the updates today, I found 2 things that really bugged me.

    1.) The modal popup… (reboot now, later) dialog is EXTREMELY anoying. I would gladly PAY not to have this "feature".

    2.) The update included updates for Outlook 2003.  Since I use Office (Word/Excel) I guess  this was included.  What did tick me off though, was that the update, reset the default email application flag in the system (presumably registry)

    This meant, that when I loaded up my email, I had to re-confirm that I wanted __Insert_Name_Of_Better_Email_Application_Here_  to be my default Email application.

    MS, please remember, that many of us do not use, and in many cases, have no intention of ever using Outlook.

    Play fair.

    Thanks.

  10. fr says:

    The Outlook junk mail filter update reseting the default mail app annoys me too, I don’t see any good reason why an update should do that.

  11. Matt says:

    The Security Update for Internet Explorer (KB# 916281) gave me the Click to activate and use this control.How do i fix that so that on my website that it won’t pop up on anyone’s PC?

  12. Matt says:

    I use the Divs on my layout right now and everything i tried does not work my jukebox has embed files and i don’t know what to change to make it work. I even tried that link you gave me and it confused me more.

  13. Will says:

    Matt:

    1> Pull all of your controls out into a separate .JS file named embedfiles.js.  It should have functions that look like

    function Embedacontrol(sURL){

    document.write("<object clsid="clsid:etc" src=’"+sURL+"’>");

    }

    Then, in your HTML, replace all of the places where you embedded controls with

    <SCRIPT>EmbedAControl("http://myfile.swf&quot;);</SCRIPT>

    and put

    <SCRIPT SRC="embedfiles.js"/>

  14. PatriotB says:

    Steve,

    The popup sucks for tech savvy folks, but it is important for the average Joe.  If there were no reminder, Joe would think that he’s patched and safe but would really still be vulnerable.  For savvy users, its best to not even go to Windows Update (or, don’t install the automatic updates) until you have a chance to reboot.

    In any event, there’s nothing the IE team can do about either of your issues.

  15. Steve says:

    @Will:

    Almost.  The correct sytax for a Script tag, referencing an external file is:

    <script src="embedfiles.js"></script>

    1.) Case is lower case, not upper.

    2.) Closing tag is required.

    Thanks.

  16. Don says:

    I’ve accepted the IE 6 SP 1 update (KB916281) install numerous times, only to result in a failure on each attempt.

    Any suggestions on how to overcome this?

  17. PatriotB says:

    Steve — element and attribute name are case insensitive for HTML 4.01.  XHTML, on the other hand, is case sensitive and requires lowercase.

  18. Sergei says:

    It’s really interesting!

    Information is worth reading.

  19. Steve says:

    @PatriotB:

    True, case isn’t required to be lower, for HTML 4.01, however, using <UPPERCASE> tags, in 2006, makes your code look extremely amateur, and very 1995.  I can’t believe that the MSDN site has so many examples like this, that haven’t been updated. esp. quotes on attributes…

    Back on the security update front, found another anoyance (QA Team listen up)  When I updated, I also noticed that my default settings, for my keyboard/mouse (both MS), got reset to the defaults.  E.g. all my hotlinks disapeared, and more frustratingly, my middle mouse button got switched to "next window", which drove me insane, whenever I went to close a Tab in Firefox, or IE7, the tab wouldn’t close, and the window would appear to lose focus.  It took me a day or two to track down the issue, and link it to the update.  Checking the registry indicated that IT WAS the update, that reset my settings (I have registry tracking turned on)

    Steve

  20. Bob says:

    He closed his script tag, he just did it differently than you.

  21. Kaisertod says:

    It would seem that this security update is causing a world of havoc here at my office.  We are no longer able to download zips or docs from our website using IE.  I have spent numerous hours attempting to track this problem on our web server to no avail, then someone suggested I try to download using firefox (cringe), and the downloads worked flawlessly!   This is a recent issue, as it was never a problem before.   HELP!