Update coming for IE 6.0 SP1 security vulnerability

You may have read reports of a new, irresponsibly disclosed vulnerability that affects IE 6.0 SP1. We are aware of this issue and are actively working on an update that addresses the problem, which was introduced with our last security update (MS06-042). This issue only impacts customers running IE 6.0 SP1; customers running Windows XP SP2, Server 2003 SP1, IE 5.01 on Windows 2000, or any of the IE7 betas including Windows Vista are not affected. As far as we know, there are no active exploits at this time. The Microsoft Security Response Center (MSRC) has released security advisory 923762 with guidance for customers on this issue.

Briefly, after the initial release of MS06-042, we were responsibly informed of a potentially exploitable security vulnerability via a crash in urlmon.dll; we also started receiving reports of customers running into the crash during normal usage. As a result of the security and reliability impact of this bug, we decided not to wait for the next normally scheduled update. We had planned to release the update today, but last night we found an issue that would prevent some customers from being able to deploy the update. As a result, we decided to hold the release until it meets the appropriate level of quality for such a broad distribution.

We’ve been working hard to improve our update quality over the past few years and built a pretty comprehensive set of checks and balances in our engineering process to prevent mistakes like this. In fact, this will be the first re-release of an IE update in 2.5 years (MS04-004 was the last one). Unfortunately, we missed this issue, plain and simple. In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue. We have also gone through all of our applicable engineering processes and tightened parts based on our learnings from this release. Finally, we are reconsidering our staffing and tools to allow us to scale better to our heavy load periods.

Across the company and the industry, we’ve seen how hard it is to ship updates in a timely way with high quality. We take responsibility for our mistakes by trying to minimize the customer impact and continually striving to learn from our experiences to do better next time. We will also continue to work with the security researcher community to encourage only responsible disclosure of security vulnerabilities. (You can read about some of the issues and challenges on this front on the MSRC blog.)

The MSRC and release teams are hard at work right now in an effort to address this situation. We hope to have this update out to you soon.

Tony Chor
Group Program Manager