IE October Security Update is Now Available

The IE Cumulative Security Update for October 2007 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses 1 remote code execution and 3 spoofing vulnerabilities. This bulletin also includes killbits for some vulnerable ActiveX controls. For detailed information on the contents of this update, please see the following documentation:

This Update is rated “Critical” for IE 5.01, IE6 Server Pack 1 on Windows 2000, IE6 on Windows XP, IE7 on Windows XPSP2 and IE7 in Windows Vista; “Moderate” for IE6 on Windows Server 2003 and IE7 on Windows Server 2003.

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments (60)

  1. commentform says:

    Yet another post.

    Yet another post without info about IE8.

    How many more are we going to have suffer through?

  2. Brian LePore says:

    Sigh, must every blog entry have people trying to threadjack the comments to ragging on Microsoft for the lack of info IE8, updates for asian versions, etc.?

    Now, can someone explain to me why there are updates for IE 5.01, but not for 5.5? Why is 5.01 even being supported still? If they’re going to still support it why can’t we get VMs with it on for us to test on? It seems odd to me they’re saying it’s market share is enough that they still need to provide security updates for it, but not enough that people should test their designs in it.

  3. gabe says:

    support for each ie version is linked to some degree to os

    ie5 is still supported because it was version shipped on windows 2000

    ie5.5 is not supported anymore because it shipped on windows me which is no longer supported plus it was replaced by ie6/7 on all other platforms

    support for ie7 on vista will remain as long as vista os support exists but support for ie7 on windows xp will end 12 to 24 months after release of ie8

  4. gabe says:

    windows home server

    what version of ie is shipping with it ie7 or ie6

  5. says:

    IE October Security Update is Now Available The IE Cumulative Security Update for October 2007 is now

  6. rc says:


    "How many more are we going to have suffer through?"

    As I repeatedly state, we will hear nothing new at last in the year or two.

  7. @IE Team

    Thanks for fixing the bug:

    936949 Focus is not set to the Web page if you minimize the browser window and then maximize it from the taskbar in Internet Explorer 7

    but I have now discovered another strange thing about how my toolbar is getting resized when IE7 is started and when the IE window is minimized:

    Link to other (unfixed) bugs I found:

  8. Finally comments about the development of IE8!!!!!! has posted news about IE8!!!!!!!!

    Though I would have preferred to hear it here first from a an active Microsoft Internet Explorer Employee.

  9. It looks like the update for IE6 and Outlook Express/Windows Mail caused a problem on SBS 2003.  Network clients were not able to access any websites at all.  Uninstalled these updates from the server, rebooted and now able to browse the Internet from these clients again.  Bad DLL in there somewhere?

  10. Web Browser says:

    Hm… Not sure if that’s just me but they are releasing more "Stuff" those days.

  11. snorthwood says:

    Any ideas as to why IE7 isn’t working after these updates were installed running XP SP2? Firefox is working. IE7 can’t access even my router. Tried uninstalling and reinstalling IE7. Flushed DNS, changed DNS servers, etc…

  12. After running automatic updates my computer crashed and had to be restarted. Then the norton I security 2007 was deactivated and had to be reauthenticated – what’s going on???

  13. EricLaw [MSFT] says:

    @Snorthwood: Do you have a local non-Microsoft software firewall?  We’ve heard of instances where such software needs to configured to permit IE to access the network after updates to iexplore.exe are made.

    @rc: You can repeat yourself as often as you like, but it won’t make your statements any more accurate.

  14. Caleb says:

    I’m having an awful time getting IE7 to connect.  Firefox will not even connect for me.  I am using a wireless connection and IE just displays that the page cannot be displayed.  This has happened since I updated.  Any ideas?

  15. See for details.

    Now, how does this correspond with the "Enriching the Web Safely: How to Create Application Protocol Handlers" article which has been an indirect reply to the "Firefox/IE7 URI security hole pingpong" (



  16. Ivo says:

    Since i installed IE last update the browser didn’t work…  i can’t access any websites… i had to use firefox and it works so the problem isn’t the internet connection. What’s happening?

  17. EricLaw [MSFT] says:

    @Ottmar: Advisory 943521 concerns a bug in protocol handling elsewhere in Windows.  

    It is unrelated to the original FirefoxURL: problem which the Mozilla team subsequently fixed.

    As noted in the advisory: "The threat presents itself when Windows does not correctly handle specially crafted URLs or URIs that are passed to it. Internet Explorer 7 updates a Windows component, which modifies the interaction between Internet Explorer and Windows Shell when handling URLs and URI’s. Applications which pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability."

  18. Chilumba says:

    After the update, I am now getting IE7 crashing everytime I visit some pages. Funny that when I log into windows live hotmail, I immediately get the "An unhandled win32 exception occured in iexplore.exe [2172]" (<- this is on a XP SP2 machine (laptop).

    On other XP machine, I am not getting this behavior.

    It is annoying that I am not able to read my hotmail on my laptop. Browing some other sites also randomly causes this same error. Yesterday, I disabled the JIT debugger, and forced to send logs to MS.

    Isn;t anyone hitting into this issue?

    When I specifially remove the update (KB939653), I am able to surf without a problem.

  19. @Ivo

    Please see for the possible cause of the issue.


    Thanks, I’ve read the MSRC blog entry after posting my comment here. Anyhow "The final reason is we actually contributed to some of the confusion by providing an incorrect set of talking points to Heise." Ah ja, "incorrect set of talking points" says it all.



  20. steve says:

    Its always humorous reading about how IE isn’t that far behind as far as CSS goes (at least thats what we keep hearing here on the IE Blog.

    Hardcore developers strongly disagree of course, but its interesting to see how the impression is expressed elsewhere.

    I was on the CSS 3 Info site today and noticed on the "preview" page (where you can test out the new features in CSS 3 (for those browsers advanced enough to support some of the features) that the opening title said it all.


    "Many exciting new functions and features are being thought up for CSS3. We will try and showcase some of them on this page, when they get implemented in either Firefox, Konqueror, Opera or Safari/Webkit."

    Notice that "Internet Explorer/Trident" didn’t even make the cut for Browsers!

    Do you think this reflects their thoughts that IE will likely not implement CSS3 features? or not anytime soon? or have they simply removed IE from the conversation because IE needs to focus on supporting CSS2 first?

    Me thinks that the truth can be mighty unforgiving at times.

    So IE what’s the story? are they being naive to think that IE won’t be supporting CSS3 in

    I’m sure that there are a few hundred thousand developers out there that would love to hear that border-radius, and box-shadow are on the horizon.


  21. Chilumba says:

    Update to my earlier post –

    I noticed that this crash of IE7 on XP SP2 is happening when I go to any site which has flash on it. When I log into hotmail, there is a flash Ad on my today screen (on the right hand side).

    I can constantly reproduce this problem every time I go to a flash enabled site.

    Weird that it is not happening on my other machines though.

    I tried going through the guided help ( ) and was still hitting the same problem.

    My temporary workaround is to unistall the update (I know it is a security risk and I would rather not install another browser) until there is a working solution.

  22. Eduardo Valencia says:

    We need a new versionnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn bring it on!!!!!!!!!!

  23. Since October 5th (IIRC) IE7 is no longer offered via Windows/Microsoft/Auto Update, not even as optional update (for Windows XP at least). Are there any reasons you (MS) would like to share with us (your customers and users)? Otherwise I tend to make the "URI handling" "hole" responsible for the temporary(?) remove of IE7.

    Any comment by an MS employee would be appreciated.



  24. EricLaw [MSFT] says:

    @Ottmar: The URI handling issue is not related to the availability of IE7 on AU; as noted, the URI handling issue is a vulnerability in Windows, not IE.

  25. @Eric

    If it’s not the URI handling issue which may be related to Windows and not IE7 bit is only present with IE7 beeing installed: What’s the correct answer to the question, *why* IE7 isn’t available on AU/WU/AU at the moment?



  26. Hi Eric,

    it’s "unfair" to offer IE7 again via AU/MU/AU 😉

    Honestly, I would have liked the idea to not distribute IE7 for Windows XP/2003 as long as the URI handling issue isn’t fixed.



  27. Jazz says:

    Is Digest Authentication broken after this update? My server challenges with the requisite 401/WWW-Authenticate but the new IE7 does not respond with the Authorization header! This used to work until last night, and my update seems to have gone on before I got in this morning!

    Can anyone throw light on the issue? I have Fiddler logs of the broken version if necessary…

    Please mail me at "" if you think you can help or have the same issue.


  28. ted says:

    Nice article on why MS ins’t moving IE forward to use Web Standards.

  29. 1.) Quirks Mode, 2.) (business) ‘Standards’, and 3.) (actual) Standards modes. New rendering engine and a third opt-in mode. This makes the most sense right now I suppose but it’s purely speculation. We know the XML declaration bug in IE6 was fixed in IE7 and you can run IE8 (speculation of course) in (business) standards mode with an XML declaration…if a true standards mode is being implemented then there would have to be either something present or not present to trigger this sort of true standards opt-in mode that Chris discussed earlier (thanks again to Tom for posting the clip).

    Keeping in mind that this is pure speculation if I was asked by Chris to take a good look at typical business sites and standards compliant websites and suggest common differences between business and standards site I would aim to make such a common difference possibly trigger a true standards opt-in mode. So in my mind the first few things I would look for on business sites are 1.) XML declaration, 2.) DTD declaration, 3.) xmlns XML namespace, all of which are present on my standards compliant website. If I wanted to look for a fourth I would personally detect if any child script elements in the body element though I think that would probably be over doing.

    Can anyone come up with a list of big business websites with IIS in the response headers using ASP/ASP.NET? Post some here, we can have a look at their clientside code, and maybe entertain ourselves for a bit. When people get bored with that please keep in mind Chris Wilson heads the IE team, not Microsoft and he has to plan in accordance to what the higher-ups dictate, not us.

  30. norm says:

    @John A. Bilicki III

    Why do you want links to IIS ASP sites? what is so special about their client side code?

    IMHO, ASP is usually a technology used by those that don’t know about other options like Java and PHP.

    Or are you looking for badly generated tag soup? In which case you are likely right on target!

    The one thing to always remember though.. is that a given bussiness site might be "dying" to use a stricter doctype/coding on their site, but has been holding back due to bugs in IE.

    I personally haven’t gone to an XML/XHTML declaration yet for exactly that reason.  IE does a horrible job with DOM Attributes as it is with HTML, so I’m not updating to XHTML and namespaces until I know that IE is going to be ready to support them!


  31. EricLaw [MSFT] says:

    @Jazz:  Haven’t heard back from you.

  32. Nicki says:

    A lot of this is over my head.  All I know is the computer did an update on 10-13-07 and now I cant use IE. (but I am connected).  I have to restore back to use it.

    What can i do to fix??????????????


  33. Tino Zijdel says:

    @John A. Bilicki III: I think that sites using HTML4.01 Strict show more affection to standards compliance than those using (faux) XHTML.

  34. @Nicki

    See for a possible cause of the problem you have.



  35. Reto says:

    After installing the October Updates we’ve got problems the the list of trusted sites.

    I deploy a list of trusted site by Grouppolicies. And every User can add additional sites. After the Update all Sites defined by the user are cleared and only the sites from the GPO is defined.

    Can somebody confirm this?

  36. torrent says:

    Not sure if thats just me but they are releasing more "Stuff" those days !

  37. IE October Security Update is Now Available The IE Cumulative Security Update for October 2007 is now


  38. Jimmy says:

    Ok, I have a problem similar to Nikki. When I try accessing certain Links to other web sites, my IE 7 in OS Vista business, just opens and states (in the upper left corner) connecting… And nothing else happens. I tried under tools “diagnose connecting problem” and still nothing. This was only happening when I was using an affiliate link with their “hop” in it. I was informed by my affiliate that JavaScript and Cookies must be enabled to view pitch page ads on their site, which they were.

    Then it happened last night when I tried another link from the Web site “Web hosting Reviews.” Again, just the Connecting…  in the upper left corner. I enabled some script under miscellaneous on the security tab and that didn’t help. It has to be in the security…doesn’t it?

    Everything worked fine until the update on 10/10. Certainly others have had this problem…NO? I also went to and my affiliate is not listed. I’m going crazy!! Please help.


  39. Breck Kuhnke says:

    Starting two days ago, any time I type a URL into the web address line in IE 7, my browser just locks up. I have to ctl/alt/del & kill it, then open another browser.

    At first I thought it may have been auto-complete that was killing it, since that is the task name listed in ctl/alt/del.  I disabled that in IE and it still locks up any time I type in a URL.

    I’ve been using this computer for about 2 years, and the only thing that I changed recently was to install the upgrade for Yahoo Messenger.

    Anyone have a clue?



  40. @Jimmy

    What "affiliate" is installed and has been running while updating Windows?



  41. Jimmy says:

    My affiliate is ClickBank. They have hundreds of products to choose from and give you the option to "view pitch page" of the publisher while on the ClickBank Web site.

    I wonder if it might be an authentication problem.  But, like mentioned above, it was more than just my affiliate’s Web site.

    Thanks for any help,


  42. @ norm

    I picked up an ASP.NET book and discovered ASP.NET generates clientside code for you…really horrible code. These sort of books and this sort of "support" for clientside by serverside languages have really hurt professional web designers.

    @ Tino

    Your homepage is served as XHTML, uses text/html, contains document.write in JavaScript code completely located within the body element, and is lacking an alt attribute in order to validate. Since I (do not) have a(n) example(s) of your specialty in clientside code I am curious about why you think my XHTML 1.1 application/xhtml+xml, WAI AAA compliant site is faux?

  43. @Jimmy

    What kind of 3rd-party "Security Software" do you have installed? Which vendors, which versions? Even anti spyware/adware applications are interessting beside any personal firwall and/or anti virus software running on your machine.

    Does the very same happen while you start IE7 with all AddOns turned off?



  44. Jimmy says:


    Are you some kind of genius?

    I currently have 5 IE7 add-ons:

    1) Shockwave Flash Object, ActiveX Control

    2) Adobe PDF Reader Link Helper, Browser Helper Object

    3) Research, Browser Extension

    4) Spybot – Search & Destroy, Browser Extension

    5)Spybot—SD IE Protection, Browser Helper Object

    I disabled all of them and my IE works perfectly!!

    I then enabled them one by one until the problem

    occurred and…yep, it was the Spybot—Search &

    Destroy, Browser Extension.

    How important is the Spybot extension to my overall

    security? Should I just disable? Or Delete?

    Please advise.

    Thanks again, you Guru!


  45. travis says:


    I’m not sure what the problem is, but if you are using IE to browse the Internet, I would _DEFINATELY_ *NOT* disable Spybot!

    Spybot protects you from like 20,000+ different spyware issues/hacks on the IE browser…

    That being said, I recognize the BHO (Browser Helper Object) but not the other one… is it a true "Safer Networking" product, or is it one of those spyware apps that claims to be spybot S&D?

    If you have some site that is causing you some significant issues, you may want to flag that in Spybot to "allow" it to do whatever it wants…

    If you have a link to the affiliate site, we can also peek at their code to see if they are doing something that is causing havoc in your browser.

    PS Does the site work fine in Firefox? or does it use some Active-X?

  46. Jimmy says:


    Those are good questions. I really have no intention of disabling Spybot, because you’re right, it provides excellent protection. And I’m positive it’s the original Spybot S&D Safer Networking. I downloaded it from  and it’s the new 1.5 released in September. It’s supposed to work well with my Vista Business.

    Also, you mentioned that you’re familiar with the BHO. That’s good, because in my above posting I made a mistake. I went through the same process that I have listed on my posting to Freudi on 10/19 and it was actually the BHO that was causing the pages NOT to open. When the BHO is enabled and I click on some (not all) links, IE just says Connecting…  and I stare at a blank white page that never opens. I disable the BHO and it connects no problem. I just don’t know how this would affect my security if I browsed with the BHO disabled. I do have Defender and that has proved to be quite effective.

    Yes, the site does work fine in Firefox. But, I ran Firefox as my default for two days. When I scanned with spybot S&D I realized I had been plastered with tracking cookies from companies I have never even heard of. When I use IE7 and Defender, I have yet to get one single cookie or any “threat detected” when I have scanned with S&D…It always says “Congratulations, no threat detected.”  I like that.

    BTW, I visited   and I could not find any postings with a similar problem as mine.  I may post and ask what the consequences would be if I browsed with the BHO disabled. Thanks for the info and comments Travis.


  47. ThomasD says:

    Everyone forgot IE7s birthday…

  48. Mitch says:

    Happy 1st Birthday IE7!

    Congratulations! You are now almost a member of the Modern Web Browser Club (MWBC)!  To be a member of the MWBC, you’ll need to start supporting DOM Properties & Methods properly, implement prototyping on DOM Objects, get some serious CSS support going, stop caching AJAX responses, fix Gamma on PNG images, fix favorites, printing, UI chrome issues, memory leaks, page zooming, deprecate security zones, active-x, & vbScript….. and we’ll be glad to accept you with open arms!

    Congrats on the success so far! Only 1 more version to go, and you’ll be there!


    Can’t wait for IE8, lets hope it gets here before Q3 2008!

    btw, any news on IE8? "we’re listening"!

    Wow who would have imagined that 1 year after IE6 had died, that we would be this close!

    Excited with anticipation!


  49. Jon says:

    @Mitch: Your list is nice except that you mix in real issues with those that are a matter of opinion.  There’s nothing wrong with favorites.  VBScript/Zones & ActiveX aren’t going away, nor should they.  In Firefox, they call ActiveX something different ("Plugins") but fundamentally it’s the same thing.  

    @Jimmy: Spybot and others make money by scaring you with bogus threats like "tracking cookies" which IE can be easily configured to block anyway.  If you don’t choose to download random programs or random AX controls, you don’t need spybot at all.  If you’re using Defender already, you don’t need spybot at all.

  50. Randy says:

    It’s been a YEAR now, and "Internet Explorer 7" is still only registering in the 30% range on most websites!  

    Man, what could be wrong?  Of course IE 7 is WAY better than IE 6 (I assume), but I guess people don’t know that?  It appears folks are still being heavily discouraged by webmasters from using IE.  

    Why?  Perhaps developers are still a bit traumatized by the whole IE 6 debacle? I think Microsoft’s refusal to acknowledge and repair its rendering bugs in IE 6 must have damaged the trust people have in the product

    IE 6 developers figured out how to shut down their product’s bug submission form, but alas doing so did not magically repair their bugs.

    Anyway, that’s all.  I’m done.

    But with errors.

  51. iron2000 says:

    I’ve been having the ie7 icons covering the icons in the cd problem. I know that the icon size is the cause but is it possible to fix it?

    I would assume it be a problem with IE7 and not XP.

    And about the recent IE7 Update release (or re-release), do the current users uninstall the old release than install this new release? I read that the new release has another version number.  


  52. Zoey says:

    @Jon – I disagree with you Mitch is not wrong.

    ActiveX is different than Firefox plugins.  There is no setting in Firefox that I can accidentally set to automatically install plugins.  In Firefox, I have to (a) approve the domain that I want to download from as trusted, (b) wait 4 seconds to ensure I’m not click happy and accidentally giving acceptance, (c) I need to restart in order to activate the plugin.  Considering that in IE with my security settings not set perfectly in all 4 zones across like 2 or 3 tabs in a user-unfriendly dialog opens me up to security issues I don’t think you can even come close to comparing ActiveX to Plugins.

    Yes, Favorites suck. Managing them is a pain.  Deleting one takes 3minutes while it scans god knows what.  They’re not very portable, they are lousy for bookmarklets (or favlets) their behavior is different when nested in menus versus on the links bar.  Saving a bookmarklet throws up 2-3 warnings, you can’t save two DIFFERENT links with the same name, nor can you save two identical links with DIFFERENT names.

    I’ve yet to find anyone that actually sets up different zone settings, but I digress.

    Oh and tracking cookies are not bogus.  Deleting them is advised by *EVERYONE* in the security and privacty community! Google or Wikipedia it.

  53. EricLaw [MSFT] says:

    @iron2000– You do not need to install the rerelease if you already have IE7 installed.  The re-release simply toggles a few default settings (menu bar on by default, etc) that you can easily do in the IE user-interface yourself.

    @Zoey– As of IE7, it’s pretty much impossible to "accidentally" set anything to allow ActiveX installation by default.  Any such setting throws the browser into aggressive warning mode, such that it boots to a "your settings are not safe" page at every startup.

    To block unwanted cookies, configure your preferences to block cookies from any sites you want.  This is a simple, painless process.  Alternatively, you can set the privacy slider to block cookies sent with unacceptable policies, or turn permanent cookies into session cookies.

    Alternatively, you can nuke all cookies by clicking Tools / Delete Browsing History.  

  54. Tino Zijdel says:

    @ John A. Bilicki III:

    I’m not sure which page you visited and perceived as being my homepage; besides my weblog I don’t really have a homepage…

    If you’re interested in my work please have a look at (still contains a lot of legacy code though) or (I redesigned the forum 3 years ago, but it is up for revision soon).

    My actual point was that people choosing a Strict DTD variant are often more well-informed than those using a Transitional variant (be it HTML or XHTML).

    As for ‘faux XHTML’ I actually did not meant your website in particular (although it may fall into that category). As you may know the fast majority of websites carrying an XHTML DTD don’t even validate as XHTML or are not wellformed so they will fail when being sent as XHTML. The fact that they ‘work’ is all because they’re being sent as text/html and thus are treated as HTML. Obviously those sites don’t need the benefits of XHTML and thus XHTML is just the wrong choice.

    Some sites use accept-header negotiation, but even most of those sites just sent the same markup as text/html as they do for XHTML-capable clients (so there is no actual need to use XHTML in the first place). Even those sites that actually sent different documents often forget to vary on user-agent for proxies, causing loads of problems for clients behind (corporate) proxies.

  55. @ Tino

    I can agree with you though my XHTML isn’t faux. 😉 When I visit a site I often check their DTD declaration, media type, and if it validates. I’ve seen a couple Microsoft pages use XHTML frameset…for non-frameset pages! I think that was on a mix06 page, not sure why? You’d think with all the proprietary elements that are on Microsoft pages they’d at least use application/xml media type?

    The W3C validator is ok though strangely validates XHTML 1.1 pages served as text/html as valid, second bug on the validator that I’ve noticed.

    As far as XHTML itself goes IE stands in the way. Chris Wilson mentioned he didn’t want to touch XHTML until he had the ability to do it right the first time. Fair and fine with all things considered.

    I have to revise a former bug btw… IE’s lack of wmode support for Flash isn’t so much a bug as it is a regression. In a recent screenshot of my current work with Internet Explorer 4 I found wmode was supported in IE4. Take a look at the anime icon with a transparent background (the purple background shows underneath the arm on the right side of the picture at the bottom left.

    Considering IE4 was released in September 1997 it’s CSS1 support actually isn’t too bad.

  56. gerald says:

    Why was this not posted here! I can’t believe it has taken a year to flush this little gem out!


    1.) Open REGEDIT

    2.) HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerCommandBar

    3. Create a new DWORD called "Enabled" with Value 0

    4. close regedit and restart IE7

    Command Bar is Gone!

    This is very handy since with this useless toolbar removed, you can fit (+/-) 18 Tabs on the Tab row without having to scroll!

    There’s also a registry item you can/should add to put the file menu back on top. (I’ll post that one too if everyone doesn’t already have that applied)

  57. Hi, my name is Tariq Sharif and I am a program manager in the CardSpace team. After we released CardSpace

  58. One problem with the original version of CardSpace was that it seemed to reject some legitimate SSL sites,

Skip to main content