Update coming for IE 6.0 SP1 security vulnerability


You may have read reports of a new, irresponsibly disclosed vulnerability that affects IE 6.0 SP1. We are aware of this issue and are actively working on an update that addresses the problem, which was introduced with our last security update (MS06-042). This issue only impacts customers running IE 6.0 SP1; customers running Windows XP SP2, Server 2003 SP1, IE 5.01 on Windows 2000, or any of the IE7 betas including Windows Vista are not affected. As far as we know, there are no active exploits at this time. The Microsoft Security Response Center (MSRC) has released security advisory 923762 with guidance for customers on this issue.

Briefly, after the initial release of MS06-042, we were responsibly informed of a potentially exploitable security vulnerability via a crash in urlmon.dll; we also started receiving reports of customers running into the crash during normal usage. As a result of the security and reliability impact of this bug, we decided not to wait for the next normally scheduled update. We had planned to release the update today, but last night we found an issue that would prevent some customers from being able to deploy the update. As a result, we decided to hold the release until it meets the appropriate level of quality for such a broad distribution.

We’ve been working hard to improve our update quality over the past few years and built a pretty comprehensive set of checks and balances in our engineering process to prevent mistakes like this. In fact, this will be the first re-release of an IE update in 2.5 years (MS04-004 was the last one). Unfortunately, we missed this issue, plain and simple. In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue. We have also gone through all of our applicable engineering processes and tightened parts based on our learnings from this release. Finally, we are reconsidering our staffing and tools to allow us to scale better to our heavy load periods.

Across the company and the industry, we’ve seen how hard it is to ship updates in a timely way with high quality. We take responsibility for our mistakes by trying to minimize the customer impact and continually striving to learn from our experiences to do better next time. We will also continue to work with the security researcher community to encourage only responsible disclosure of security vulnerabilities. (You can read about some of the issues and challenges on this front on the MSRC blog.)

The MSRC and release teams are hard at work right now in an effort to address this situation. We hope to have this update out to you soon.

Tony Chor
Group Program Manager

Comments (43)

  1. Anonymous says:

    Can I expect ‘direct downloading’ in IE7? You know, IE downloads file in temp folder first and moves to destination folder when it completed.

    That is really really uncomfortable. Especially when I have Windows XP installed in C drive(which has temp folder) and want do download big size of file in D drive, moving takes great time.

    Firefox downloads directly into destination folder. So we do not need to wait until file moves into destination folder, and we can resume download if computer crashed during downloading.

    Of course, we have 3rd party application like FlashGet, but it doesn’t seems to catch download every time. Sometimes IE’s download window appears instead of FlashGet’s. And built-in feature is needed for stability.

    Please consider it.

  2. Hi everyone, Stephen Toulouse here.  We wanted to provide you with information about the MS06-042…

  3. TJ says:

    Although I’m not pleased with the issue and I’m sure many will slam you for it, I commend Microsoft for being upfront about it and keeping us informed (via this blog, MSRC blog, and TechNet). Many other software companies (who I shall not mention) could learn a lot by following suit. Over the years, Microsoft has become the leader in this area and thus the model.

    P.S. – mentioning the impact on beta software is greatly appreciated.

  4. cooperpx says:

    A mistake was made, a mistake will be cleaned up. Good. Accidents happen.

    However, lets drop off the righteousness tone for a second please? Microsoft is upset that somebody squealed on it. The word ETIQUETTE applies, not RESPONSIBILITY.

    I’d say that ETIQUETTE regarding security bugs is being redefined by people not of Microsoft.

    Might I suggest that IE gets its own out-of-band patching system, not restricted by any specific timing schedule, for home users and businesses with a local policy setting?

  5. cooperpx says:

    "For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue."

    – ouch Tony. I’m sure he/she feels bad enough! He/she likely had peer reviewers and they missed it too. Some stuff just slips by, even by really smart people with years of bug finding experience. I’d say your team was due for this kind of flaw and it happens ~ _even_ in open source! [sorry for the double post]

  6. Baillard says:

    I posted a question to the MSRC Blog about the options that the Online Crash Analysis provides when IE fails due to the problems with MS06-042.    Can you please provide links to MS06-042 from the OCA event page and other info such as assisting users in disabling HTTP 1.1?  The current info OCA suggests upgrading to XP SP2 (I do realize that SP1 support ends <60 days) is not the entire story.

  7. redxii says:

    For what reason would it affect SP1 but not SP2? Just curious.

  8. redxii: We changed some buffer sizes in SP2; the code was first fixed in SP2 and then ported down to SP1 without taking this change into consideration.

    baillard: Good idea re: updating our OCA response. I’ll see what we can do here.

    cooperpx: I certainly didn’t mean to imply that this developer was solely to blame. We just wanted to make sure there was nothing systemic about his changes that might pose a problem. we definitely tried to explore every avenue.

    cooperpx: We used to update IE on its own schedule, but many customers asked us to update IE at the same time as other updates so they could schedule and batch their testing and deployments.

  9. Brad says:

    Did you guys see this?

    Death toll rises due to FireFox

    http://qainsight.net/2006/08/23/Death+Toll+Rises+Due+To+FireFox.aspx

  10. Tihiy says:

    Sorry for buggin you but i’m unable to find exact information on bizzare lifecycle pages.

    IE6SP1 on XPSP1 support will be dropped in October, but what about IE6SP1 on W2KSP4? I guess it should be supported until W2K EOL, but when it ends?

  11. Will this update fix the createPopup issue as well? A lot of our customers are reporting to us that IE is crashing when they use our web-application 24SevenOffice. This occurs due to a bug caused by using the createPopup function after the latest update is applied. This issue is not related to the IE6SP1/HTTP1.1 problem as the reports I have got customers used IE6SP2.

    Can you please make a statement to whether this issue will be fixed in the upcoming update?

    For more info and example see the following pages at comcept.net:

    http://www.comcept.net/notify/kb918899/kb918899%20Statement.htm

    http://www.comcept.net/crash.htm

    Thank you,

    Espen Antonsen

    24SevenOffice

  12. AH says:

    There now is a hotfix available from Microsoft for the popup issue. It is so far only available through Microsoft support; you must call and ask for hotfix 923996 for Windows XP or for Windows 2003. Such calls into Microsoft are free.

    As there are so many users suffering from this issue after deploying MS06-42, I would hope Microsoft includes the hotfix that fixes the popup issue into the re-release of MS06-42 as well.

  13. AH, thank you very much for that information. Unfortuanly the fix is only available in English and Japanese. We have a lot of customers in Norway who are complaining about this issue and it seems like they have to wait for the next update.

    Cheers,

    Espen Antonsen

    24SevenOffice

  14. Steve Young says:

    First time to be here ^_^

  15. Vince says:

    I was under the impression that IE7 had removed the createPopup call from standard web page designs? (e.g. not an embedded app, using the IE engine)

    Can an MS team member clarify if this happened or not?

    From a web user perspective, these popups are the most anoying ever, since they are chromeless, z-ordered on top of everything, and are full screen, not just in the IE viewport.

    If not, can the developers clarify if these are 100% blockable by type, in IE7?

    E.g. I may want a popup window to choose a date in my online airfare search, but I will never want a ".createPopop()" call to be enabled.

    Thanks Vince.

  16. Tihiy – I blogged about this at http://blogs.msdn.com/ie/archive/2005/03/29/403513.aspx. Essentially, IE6SP1 on Win2k SP4 will be supported until Win2k expires.

    Espen – You can have your TAM contact Microsoft to request a localized version of the hotfix. The re-release of this update is for IE6SP1 only and the issue you’re seeing is for XPSP2, so therefore the re-release will not fix that issue as it’s on a different platform.

  17. DMassy says:

    Vince,

    createPopup has not been disable in IE7. It is actually useful functionality for example to produce rich tooltips in web solutions.

    There were restrictions put on this functionality in Windows XP SP2 to ensure that they cannot display outside of the HTML display area of the browser and confuse people. Maybe that is what you are thinking of.

    Thanks

    -Dave

  18. Tom says:

    @dave

    I don’t see how a < div > can’t do anything that createPopup() can.

    Oh well, guess I’ll go look into writing an extension for IE7 to block these.

    @Vince

    Can I send you a link to it when I’m done? :-)

  19. William Lefkovics says:

    Tony, by "irresponsibly disclosed" are you referring to the reference to "Long URLs" outlined in KB 923762?      (http://www.microsoft.com/technet/security/advisory/923762.mspx)

  20. lamon says:

    Hello,everyone,I’m a security engineer from one of your enterprise customers.After deploying MS06-042,when our users access to PeopleSoft(HR System),IE would breakdown.It occur that the OS is win2000 and XP without SP2.

    We are in china ,most of our OS language is chinese.Microsoft(China) MSTC engineers told us that they are not sure when you could release the patch’s patch to fix up our trouble.They sent us a tool to have a try,but just the english version,could you speed up the development of the chinese version ?Thanks.

  21. ZOC says:

    Dont use the false browser …

  22. @Christopher Vaughan [MSFT]

    I have called Microsoft support here in Norway and hopefully they will provide me with a localized version of the hotfix. I think this bug is very critical – will the hotfix really not be released through windows update?

    @Tom

    createPopup will be displayed over iframes, frames and outside the window. It is very useful when creating a contextMenu.

    Espen Antonsen

    24SevenOffice

  23. I want to have IE 6.0 SP1 for update thankyou if you am having Xp Home weather can or not please tell me or send me a CD to me thankyou

  24. Tom says:

    @Espen

    In Dave Massey’s comment (above mine, to Vince)

    It sounds like IE7 has cleaned the createPopup() call a bit, to ensure it _CANT_ display beyond the viewport boundary.

    It again, should be noted, that in all browsers, you can float a div over any content on the page to crate a contextmenu or similar.  The only catches are:

    1.) in IE 6 or below, you need to float an iframe under the div because the select element was incorrectly coded to be at the window level. (fixed in IE7 thankfully!!!)

    2.) in a frameset (not iframes), you can’t float anything over frames, because there is no (top level) document body to attach the div to.

    Tom

  25. Espen: hotfixes are never released through Windows Update. If you get a hotfix via our support centers, you’ll be pointed to a separate download. However, in a subsequent security update, your hotfix should be automatically included so you won’t have to re-apply the hotfix again.

    lamon: when we release security updates, all languages are released at the same time. The Chinese version of the re-release of MS06-042 should already be available via Windows Update.

  26. I wonder why there’s no new blog entry to be found (yet) here about the release of KB918899v2 for IE6 SP1:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=c335caa9-b9e6-403d-a039-2d3dca723653

    Bye,

    Freudi

  27. IEBlog says:

    This morning we re-released our August security update (MS06-042) for IE 6.0 SP1. This update is available…

  28. MikeG says:

    When a patch is released how soon after will the wsusscan.cab file be updated for SMS ITMU custumers?

    Thanks

    Mike

  29. Zach says:

    –> It sounds like IE7 has cleaned the createPopup() call a bit, to ensure it _CANT_ display beyond the viewport boundary.

    Is this in all environments, or in a trusted environment can you still extend beyond the boundry.

    Ask because I have GUI dependent on that – and by trusted – I mean trusted to the point that its being served in my own wrapped Webbrowser control

  30. ST says:

    923996 When you visit a Web page that uses a custom pop-up object,

    Internet Explorer 6 closes unexpectedly

    http://support.microsoft.com/kb/923996/

    IE6SP2(XPSP2 or 2003SP1) + 918899(MS06-042)

    createPopup()

  31. EricLaw [MSFT] says:

    @Zach: The CreatePopup call is restricted for content in the Internet zone.  I suspect the limitation only applies to the Internet Explorer process unless you opt your process into the feature.

  32. 1.- El parche que llego el martes pasado es tambien para Windows Vista2.- Corrupcion de memoria en Firefox…

  33. Zach says:

    @EricLaw – Thanks :)

    For a second there thought I would have to redo my menus and other parts of the toolbars.

  34. IEBlog says:

    This morning we re-released three versions of our August 2006 cumulative security update (MS06-042)….