IE November 2006 Security Update Now Available


The IE cumulative November 2006 security update is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update and I encourage you to upgrade to Microsoft Update if you haven’t already.

This update addresses 2 security issues: 2 remote code execution vulnerabilities. For more information on the contents of this update, please see:

  • Microsoft Knowledge Base article: MS06-067 – Cumulative Security Update for Internet Explorer (KB# 922760)
  • Details on the vulnerabilities and workarounds can be found here.

This is a “Critical” update that applies to all supported IE configurations from IE5.01 to IE6 for XPSP2 and IE6 for Server 2003 Service Pack 1 except IE7 where the associated vulnerabilities do not affect this newer platform. As always, IE security updates are cumulative and contain all previously released updates for each version of IE.

Unrelated to today’s IE update, Microsoft XML Core Services released an MSXML update today that may affect some IE users. Rob blogged about this earlier today.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest security updates from Microsoft.

Charles Watanabe
Program Manager

Comments (35)

  1. KB922760 (MS06-067) obviousy does *not* fix the vulnerability in the ADODB.Connect Object. See http://blogs.technet.com/msrc/archive/2006/10/27/adodb-connection-poc-published.aspx

    KB922760 does *not* set the killbit for the control in question.

    Bye,

    Freudi

  2. Observer says:

    In IE7, the user would have to explicitly opt-in to using this control in order to exploit this vulnerability.

  3. hAl says:

    @Ottmar

    Does it say otherwise ?

  4. @hAl

    No, but shouldn’t that one be fixed, since the "fix" is any easy one (by setting the kill bit)? How many exploited systems are needed before an update is considered? The fix for the daxctle.ocx took "only" 8 weeks…

    Bye,

    Freudi

  5. steve_web says:

    2 Bugs.

    1.) So, IE7 won’t render CSS correctly, unless you specify a valid DOCTYPE… I can accept this, even though I think it should work all the time, and developers should fix their code… but that’s another argument… FINE, but, oddly enough, I notice that that doesn’t apply, for the print preview/print out!  I can specify valid CSS for my page, but with no doctype… which renders oddly on screen, but when rendered in a print preview, or on paper, after printing, it DOES PRINT THE CORRECT CSS.

    Ugh!… no I’ve got to go and do EVEN MORE hacking to get IE to render things correctly…

    2.) The sign in on this blog has stripped out the .Net signin, not sure why, but as a result I can no longer log in.

  6. steve_web says:

    Oh, I also noticed, that the IE7 chrome bug when rendering long buttons… (e.g. File Menu > Tools > Internet Options > Security Tab > "Reset all zones to default level" Button, is ACTUALLY FIXED!!!! by installing some 3rd party addons! (e.g. the Quero Toolbar)

    Now, if an Addon, can fix this bug, by accident, how many more years will it be before Microsoft fixes it?

    PS If there is any chance that the fix, for the same buttons, in the IE7 HTML viewport rendering will be fixed first… take as long as you want, otherwise, at least fix the chrome in IE7… it will at least make the browser look more like a finished product… and users might think the viewport button rendering glitches are the web developers fault, not MS’s.

    PS For anyone that actually hasn’t seen this bug or doesn’t know what it is, here’s a screen shot.

    http://www.actsofvolition.com/images/xp_formbuttons.gif

  7. Enjitsu says:

    Why does this stupid IE7 always and i mean always load customize your setting no matter what home page i desire? Is this the best microsoft can do? Release a god awful IE7? Come on! They are a multi million dollar company and cant even make a internet brower! Why dont they just admit they sux and let everbody download firefox as a update!

  8. Aedrin says:

    "So, IE7 won’t render CSS correctly, unless you specify a valid DOCTYPE… I can accept this, even though I think it should work all the time, and developers should fix their code."

    This is the assumed ‘standard’ for all (common?) browsers. Don’t make it sound as though Microsoft decided this on their own and are the only ones using it.

    Read up on standards compliance mode and quirks mode.

    "Now, if an Addon, can fix this bug, by accident, how many more years will it be before Microsoft fixes it?"

    Just as a personal opinion, I think it is bad interface design when you need to have an entire sentence on a button. A button should be 1-2 words at the most. This is probably why I don’t come across any problems with buttons.

  9. decline says:

    i am a huge fan of the punk band S***F*** and once read in an interview with wallis where he said, "i don’t know why i spend so much time writing crappy songs."

    after trying ie7 those words popped back into my head and i was wondering if your developers think similar thoughts?

  10. decline says:

    i am a huge fan of the punk band S***F*** and once read in an interview with wallis where he said, "i don’t know why i spend so much time writing crappy songs."

    after trying ie7 those words popped back into my head and i was wondering if your developers think similar thoughts?

  11. Fduch says:

    @Aedrin

    >Just as a personal opinion, I think it is bad interface design when you need to have an entire sentence on a button. A button should be 1-2 words at the most. This is probably why I don’t come across any problems with buttons.

    List_of_simple_rules_to_follow_to_have_no_problems_just_like_Aedrin.

    A button should be 1-2 words at the most. So that IE7 won’t screw it.

    Transparency of a layer should be 0 or255 only. So that IE7 won’t screw PNG transparency.

    Gamma should be 2.2. So that IE7 won’t screw PNG solors.

    Page should have 5-10 images max. So that IE7 won’t screw them.

    You should only navigate to special "non-crash" pages. So that IE7 won’t crash.

    You should only zoom "zoom-crash-proof" pages. So that IE7 won’t crash.

    You should only save pages that have English title. So that IE7 would be able to load it.

    You should open new pages slowly. So that IE7 won’t screw favicons or the whole page.

    You should open pages with flash in new windows. So that when IE7 suddenly crash that won’t wsrew all the tabs.

    You should write URLs of important pages you have just found on a sheet of paper. So that when IE7 crashes and looses tham it won’t screw you.

    You should open 1-2 programs max when using IE7. So that IE7 won’t screw your system.

    A tab bar should be 10-20 at the most. So that IE7 won’t screw the system.

    You should manually count pages before and after using the "Open these next time I use Internet Explorer". So that you know when IE7 didn’t reopen them all.

    You shouldn’t use link tag in css menus. So that IE7 won’t screw margins on hover.

    You should hide bad points of IE7. So that Aedrin won’t come after you.

  12. Joseph says:

    I think there are 2 new bugs in IE7 the first freezes IE and the second shutdown it;

    1-when u try to close opened popup pages ( ligit) for example the on on paypal video about mobile pay.

    2- try to open this page using IE7. it will shutdown testing page http://www.sawtelghad.com/

    Thank you

  13. Aedrin says:

    Thank you for taking my words out of context, Fduch.

    Regarding your last point (didn’t bother to read the rest, as you are stuck on repeat); a lot of the problems that people keep posting are known to the IE team, repeating them here and complaining is not going to help anyone. It just makes you as the poster look like a whining baby.

    Don’t you ever think that there is a reason they closed the bug reporting site? Maybe they’re in a planning phase right now, and they won’t be checking it at all. So suppose they do open it up, instead of constant complaints about it not being open, there will be complaints about it being ignored. How much are we ahead? Zero.

    If Internet Explorer is so horrid, stop using it. If you develop websites, stop supporting IE. Voice it with your decisions, because frankly no one here cares. Do you see any replies from Microsoft regarding your posts?

    And I’m sure that you -have- to support Internet Explorer, that gun against your head is a pretty good reason. No gun there? Right. It is your own choice. What a waste of life, if you are doing this and despise it so much, yet all you have to do is stop.

  14. DeKaleAas says:

    "Don’t you ever think that there is a reason they closed the bug reporting site? Maybe they’re in a planning phase right now, and they won’t be checking it at all. So suppose they do open it up, instead of constant complaints about it not being open, there will be complaints about it being ignored. How much are we ahead?"

    I do agree with you about all the whining.. its a matter about life and death to some people. C’mon… some are ‘a little’ a little jealeous about MS succes.

    But ontopic: I think there should be a bug reporting blog! One place where bugs can be reported and another place where other things can be reported that make IE more compatible with everything on the web. Just add an extra place for people to complain about MS.

    ah well I dont know that much about programming but a list like Fduch is posting there would be very usefull for MS on the ‘make IE more compatible with everything on the web’forum… I think.

    anywayyyyy Im gonna have a good time bye bye!

  15. ST says:

    exploit.blogosfere.it/2006/06/usascii_malform.html

    http://www.iku-ag.de/ASCII

    This PoC is 8bit-char-string on 7bit-ASCII.

    8bit-char = 7bit-ASCII + 0x80.

    Is this the exploit ? or no problem ?

  16. steve_web says:

    another weird bug…

    open any page, and do a print preview… lets pretend all is ok, now click the print button, so you can print what you have…

    When the print dialog appears, WAIT 5 seconds, or "decide" what you want to print… current page, all pages, etc.

    BOOM! Where did that preview go!… now I get the "chrome" screen of death!

    BTW, as soon as you print, or cancel, all returns to normal.

  17. steve_web says:

    Okay, more on the above problem…

    In Print Preview, if you open the print dialog…

    **ANY** window movement of **ANY** kind over the print preview, will cause the entire preview to vanish…

    This includes "MSN Toast", "GMail Toast", "Trillian Toast", moving the Printer dialog, Pressing the START button, showing a tooltip if the mouse hovers over any application in the task bar!!!!

  18. steve_web says:

    Oh, and while on the subject of Print Preview:

    2 Bugs/Feature requests:

    1.) DO NOT SIZE the preview, to the EXACT Size/Position of my Browser.  This is highly annoying!

    2.) Provide the MINIMIZE option in the top bar… [WinKey]+[M] or [WinKey]+[D] do not work when there is a preview open, and the user most certainly can’t close them manually.

    Thanks.

  19. steve_web says:

    Oh, and don’t open the Page Setup dialog, in the print preview, and drag that anywhere, or bye bye goes your preview! (no re-paint under the page setup dialog)

  20. Martin says:

    To Aedrin:

    The bugs might be known to the ie team, but now that the bug database have been closed, how are we suposed to know that?

  21. steve_web says:

    Ok, here’s an awesome bug! (read: horrible nightmare)

    Now, we all know that frames (not iframes) are evil for websites, but in Web Applications, they are common place.

    Open up any page/site with frames, where the frame divider is stretchable.

    All is fine.

    Now, increase the ZOOM, 1 (one) notch (e.g. [CTRL]+[+], now stretch that frame divider again.

    The more content you have, the more hideous the rendering.  Content scrolls over the frame divider, content scrolls under table cell boundaries, images flash and resize oddly.

    Think that’s fun? Try zooming in more!  OMG!

    I don’t know where to even begin on this one… it is just totally messed up.

    Oh, and if it hasn’t been said 100 Million times already, Please!, bring back IE Feedback! We have no way of tracking all these bugs, or seeing if any of them are actually getting any attention!!!

    thanks,

  22. steve_web says:

    Here’s a nice test case… watch content switch frames, overlap frames and do all kinds of funky stuff.

    http://www.htmlcodetutorial.com/frames/nestedfs.html

  23. Fduch says:

    @steve_web

    Oh no! You are whining! Why do you hate MS so much? Didn’t you listen to goose and Aedrin? All of these are no bugs of IE7. IE7 has no bugs. These are bugs of your pages. Or they are bugs of you PC. Probably viruses as some zealots here often suggest.

  24. Aedrin says:

    "I think there should be a bug reporting blog!"

    There actually is a Wiki around supported by Microsoft to report problems/bugs. I can’t recall the address though.

  25. Fduch says:

    @Aedrin why can’t you recall the address to report problems/bugs? So you don’t report them…

    Why?

    Are you too lazy to report them or you just think IE7 has no bugs?

  26. Aedrin says:

    Because I hardly run into problems?

    And when I do, they’re common ones that have a 95% chance of being known.

    Besides, I’m paid to develop not to report bugs. I’ve never had show stopping bugs so I don’t have a real need to. IE works fine for me.

  27. Benjamin Hawkes-Lewis says:

    Aedrin,

    "If Internet Explorer is so horrid, stop using it. If you develop websites, stop supporting IE."

    What does "stop supporting IE" mean exactly? Why punish end-users for surfing with the browser Microsoft bundled with their operating system? What about commercial screen reader users who have to make do with Internet Explorer, either because that’s the only browser their screen reader supports or because they need to access Flash content? Even if developers weren’t forced to pander to IE by its market share, they’d still need to support IE on accessibility grounds (look at the introduction to WCAG 1.0).

    Rather than simply forgetting about IE, I suggest people channel their understandable aggravation into:

    1. Encouraging Adobe to expose accessibility information from the Flash Player plugin in other browsers and on other platforms. The same goes for any other web content that depends on IE for "accessibility". Helping the Gnash (GNU Flash) developers implement the Accessibility class and expose their work to multiple accessibility frameworks would be a good start:

    savannah.gnu.org/bugs/index.php?18194

    2. Creating free and open source assistive technology that can replace expensive, obsolete software and be used with multiple browsers. For example, here’s a GPL Python screen reader that could use your help:

    http://www.kulgan.net/nvda/

    3. Perfecting methods for content negotiation and transformation, so that modern, standards-friendly user agents can take advantage of new web technologies, while old-fashioned HTML clients like Internet Explorer receive the same information but in more primitive (but still standard) forms that they can mostly understand. That way, nobody loses.

    4. Fixing Internet Explorer with add-ons:

    blogs.msdn.com/ie/archive/2006/10/20/must-have-add-ons-for-ie7.aspx#852782

  28. Benjamin Hawkes-Lewis says:

    Aedrin,

    "There actually is a Wiki around supported by Microsoft to report problems/bugs. I can’t recall the address though."

    I assume you’re talking about:

    channel9.msdn.com/wiki/default.aspx/Channel9.InternetExplorerFeedback

    While that wiki at least still exists, it is explicitly no longer "supported" by Microsoft. See the note at the top of the page:

    "On 3/24/2006, the IE blog announced Internet Explorer Feedback — use that tool in preference to this"

    Of course, Internet Explorer Feedback has been discontinued, so the only official channels for bug reporting are by phone and the microsoft.public.internetexplorer.general newsgroup, as mentioned here:

    http://www.microsoft.com/windows/ie/support/default.mspx#ie7Support

    By contrast, even Opera has an official public bug report tool, though regrettably they don’t have a public tracker.

    Temporary, broken feedback sites like the short-lived "Internet Explorer Feedback", blogs, wikis, newsgroups, and even private trackers like Opera’s are no substitute for a genuine, permanent, official public bug tracker comparable to those that exist for WebKit, Mozilla, KDE (including Konqueror), ELinks, and Gnome (including Epiphany).

    Now it is true that there are unofficial substitutes like:

    http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/

    secunia.com/product/12366/

    http://www.webdevout.net/browser_support.php

    But, again, these simply cannot replace the direct and focused engagement with browser developers provided by an official bug tracker.

    Setting up a bug tracker was one of the best moves the IE Team while developing IE7. But by shutting down Internet Explorer Feedback, Microsoft gave a kick in the face, not only to standardistas dedicated enough to to endure Connect’s sub-par interface to log bugs and suggestions, but also IE-fixated intranet developers who need to know that new behaviours are known to the IE Team and are not, in fact, bugs.

    "Don’t you ever think that there is a reason they closed the bug reporting site?"

    There must have been a reason, but I still think it was a user-hostile and self-destructive mistake.

    "Maybe they’re in a planning phase right now, and they won’t be checking it at all. So suppose they do open it up, instead of constant complaints about it not being open, there will be complaints about it being ignored. How much are we ahead? Zero."

    I vehemently disagree. If they’d just left the Connect site in place, there would still have been an ongoing public record of Internet Explorer bugs and a place to discuss improvements in an organized fashion. It’s not only the IE Team who responded to submissions; ordinary developers and users were also commenting and voting. Even if the IE Team ignored it for months while they dreamt of Explorers yet to be, we would have an official reference for bugs to help us during development and everyday use, and the IE Team would have accumulated a huge mountain of bugs and suggestions, helpfully sorted by vote, to help them when they got back to coding.

  29. My comment is not on update of IE7.It is on the errors HTTP 501 & 505. After downloading IE7 I could not reach at my web pages and I always saw

    the " http 501 not implemented " and "http 505 not

    supported" by IE. I myself tired of studying on the errors’ solution. Please help me and I am urgently in need of my local area web pages.

    I also can not sign in windows live messenger and  

    meet with 81000306 error code.Please help me to solve my problems. YOU MAY NOT BE THE RELATED SECTİON IF SO PLEASE TRANSFER MY PROBLEMS TO RELATED SECTİON.THANK YOU,

  30. David Post says:

    Right after installing these updates including

    IE7, Norton antivirus rana full system scan.

    It turns out that now I have at least 84,000

    more files to scan.

    Did anyone else notice something similar?

    Thanks

  31. jesse says:

    lol yet another security patch, how many is that so far, 40, 50? IE is rubbish

  32. doc0tis says:

    @Aedrin

    Apparently Fduch is unable to comprehend simple sentences I wouldn’t bother attempting to explain your intelligent actions to him/her

    @Fduch

    If you don’t like IE7, don’t use it. PERIOD. We are not allowing it’s use at my work because of concerns that we have. And btw grow up.

    –doc0tis

  33. Keith Cash says:

    Downloaded. More files are there.

    But I now feel safe.

  34. Jake says:

    I don’t use any of the platforms that this IE update affects,  but I did want to chime in with some comments. First of all, I upgraded to IE7 just last week and I really like it. It is indeed faster than previous IE versions were, and the new features are really cool. I’d also like to mention that IE7 works perfectly with JAWS version 8. For some reason my computer didn’t seem to like the November update patch for JAWS 7.1, so I just upgraded to JAWS 8 and voila! Job well done FS and MS!

Skip to main content