IE February 2007 Security Update is Now Available

The IE cumulative February 2007 security update is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already.

This update addresses 3 security issues – all three are remote code execution vulnerabilities. For more information on the contents of this update, please see:

This “Critical” update affects all supported IE configurations from IE5.01 to IE6 for Windows XP SP2 including IE6 for Windows Server 2003 SP1.

Also included in this release are ‘Important’ security updates for Internet Explorer 7 for Windows XP SP2 and Windows Server 2003 SP1 that disable specific COM objects not intended to be instantiated in Internet Explorer. While these vulnerabilities are considered ‘Critical’ in IE5 and IE6, the objects are blocked by the ActiveX Opt-in feature in IE7, preventing attacks that use non-approved controls from running an exploit. Since some users may turn off ActiveX Opt-in or mistakenly permit the objects to load without prompt, this update disables loading these objects to provide further defense-in-depth. IE7 in Windows Vista already disables these objects and is not affected by this update.

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of the browser.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Geoffrey Silva
Program Manager