IE December Security Update is Now Available


The IE Cumulative Security Update for December 2007 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses 5 remote code execution vulnerabilities. This bulletin also includes killbits for some vulnerable ActiveX controls. For detailed information on the contents of this update, please see the following documentation:

This Update is rated “Critical” for IE 5.01, IE6 Server Pack 1 on Windows 2000, IE6 on Windows XP, IE7 on Windows XPSP2 and IE7 in Windows Vista; “Moderate” for IE6 on Windows Server 2003 and IE7 on Windows Server 2003.

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments (47)

  1. Tijn says:

    Yay first…:)

    Yet again some security fixes for IE….as usual ­čśë

  2. tom says:

    Where’s the Beef?

    I don’t see any details about IE8 here?

    What Gives?!?!?!?!?!!?

  3. web dev guy says:

    Is Firefox up to 2.0.0.12 yet?

    Does this security update support alpha channel transparency PNG?

  4. Ted says:

    IE7 already supports Alpha Channel PNG.  IE6 never will.

  5. another web dev guy says:

    IE7 supports Alpha on PNG, but not Gamma, IE6 supports neither.

    "Critical for IE 5.01…" What!?!?!

    Who in their right mind is using anything less than 6.0?

    Even with that said, most sites are pushing users to give up on IE6 big time now.

    Try logging into Facebook in IE6, theres a big splash screen with a "Hey dude! you are like way behind the times! upgrade your browser version, or better yet, upgrade your browser (with links to Firefox and Opera provided)"

    (ok, the wording is a little "ad-lib", but the gist is the same)

    And if the roasting of the last few weeks wasn’t enough, whats the news on IE8?  I’m pretty sure you guys know we anxious over here for details.

  6. David Naylor says:

    IE5???

    Just dump it already. Dump IE6 while you’re at it.

  7. Fred says:

    @AWDG: Actually, IE does support Gamma…that’s the problem.  Strip the gamma, and the pictures look fine.

    IE is hardly alone in this regard.  See

    http://hsivonen.iki.fi/png-gamma/

    http://www.hanselman.com/blog/GammaCorrectionAndColorCorrectionPNGIsStillTooHard.aspx

  8. Al Billings says:

    The IE team is required to support browsers for the ten year lifespan of an operating system. So, if the operating system’s supported version has a particular version of IE (like IE 5.01), then the IE team has to do security patches for it.

    This is part of the bane of Windows 2000.

  9. Bah says:

    Man, I hate this corporation-style behaviour.

    500 people and counting are asking for info about IE8 in the last post comments and they just drop info about a security update.

    I wonder what is the really big secret about IE8? Maybe the secret is that there is not IE8 at all?

  10. IE8 says:

    This is a blog, start using it like one.

  11. Juan Pablo says:

    Sadly IE6 we have to support IE6 and IE7 and soon IE8. I think hell is coming to earth. A lot of people have IE6 and it doesnt work ok with a lot of CSS styles. Im completely sure IE8 will have its own CSS stuff, so we have to create a lot of hacks so we can develop on standard browsers (firefox, opera) and IE at the same time.

    Please…stop creating more versions of IE!!

    Format your IE development servers, and start again!..

    jiji

  12. Sam Spade says:

    @Al Billings,

    I’d like to see Firefox support their browsers for 10 years.  I wonder what that would do to their vulnerability statistics…

  13. content n-a-z-i says:

    @bah: 500 people and counting are asking for info about IE8 in the last post comments and they just drop info about a security update.

    so who made you the ie blog content nazi?

    this is the ie blog, how does a post about an ie security update not constituent valid content? it’s their blog they can post anything they god damn want too. if you don’t like it….. leave.

    you won’t be missed.

  14. Brian LePore says:

    @Al:

    Wasn’t Internet Explorer 5.5 the default browser for Windows ME? It hasn’t been ten years since ME was released.

  15. EricLaw [MSFT] says:

    @Brian: Windows ME was not considered a "business" OS and had a different support cycle.  See http://www.microsoft.com/lifecycle for the nitty-gritty.

  16. Hey Eric, thanks for Fiddler! It’s pretty nifty once you figure it out (which isn’t too hard).

    For those of you complaining about having to support multiple versions of IE, as always look up conditional comments. It doesn’t even require serverside support and I also support IE4 which only requires very minimal procedural programming . I’m a Web Designer, not a Web Developer too! Then again the IE team doesn’t do itself justice by pointing out conditional comments. If they did I’m sure less people would complain and start revising their CSS.

  17. Reid says:

    @Sam Spade:

    FF doesn’t have to support browsers for that period of time because the update feature is in the browser itself.  When an update is found (it checks automatically from time to time) it notifies the user and can update with just a click from the user.  I’ve yet to have a problem with it.

    (This, btw, was a BIG selling point for the parents.)

    MS on the other hand, has nothing of the sort.  So, people who don’t ‘windows update’ are probably not even aware that a new version exists.  Can we say problem?

    If the IE team would dump the idea windows update is the way to update IE and put the update in IE itself, then that would solve *a lot* of problems.

    Because, if they don’t it’ll be pretty much like the last browser wars.  Except only the IE team will be putting out new buggy browsers that is ruining everything.

    @content n-a-z-i:

    He said NOTHING even remotely close to what you say he did.  All he is saying is that the IE team should be answering 500+ people’s (read: DEVELOPERS) questions.

    We want steak and they give us pre-chewed bits.  NOT good enough, NOT right now.

    @IE Team:

    The new information is, of course, appreciated.  It is one of the things that we’ve been asking for.  You get a couple points for re-opening communication.  BUT, it isn’t the thing(s) that we have been relentlessly requiring of you.

    Please provide information regarding IE8 and its level of standards compliance.  Hell, even an incomplete list will do.  Just say, here’s where we expect the standards compliance to be, but that it’s not guaranteed, it’s an approximation.  More to come.  Other features tba.

    Just something! and keep it coming!

  18. content n-a-z-i says:

    @reid:

    He said NOTHING even remotely close to what you say he did.  All he is saying is that the IE team should be answering 500+ people’s (read: DEVELOPERS) questions.

    no way – why should mob rule win? i say to the ie team hold out. don’t give in. i understand what your doing and why.

    let the info out when your happy to, i’m down with that!

  19. Tim D says:

    IE 7 and Messenger has quit working (unable to display and unable to diagnose).  Only managing to connect with Firefox.  I thought it was the uddate but cant see why that would change anything.  Anyone else experiencing this? Mayb its a Vista thing.

  20. Chris says:

    I am really confused. I thought Microsoft is suppose to be this great world wide business of all sorts of "innovation" (ha i still laugh at it when ever i heart of MSFT refering to that). So here is another comment basically informing you guys to just do a job. We are all sick of supporting you broken IE6, but hey congratulations on the success :-/ you have with IE but I guess you guys are just waiting for Santa Claus to come fix the stuff that is broken rather than taking it upon yourselves. I mean seriously what do they pay you guys with peanuts…or do you just think working at microsoft your entitled to just be ego snobs because your former boss bill was able to convince millions of naive people to use his browser when everyone with a brain about the internet knows you just screw it up.

    Good Job Team, can’t wait for "IE Forever Edition" to come out.

    In all seriousness our government seems more open than you guys, and that is well ironic to say.

  21. Pedro Melo says:

    having the same problem as Tim D.

    After this instalation Ie7 and messenger quit working, that is no access to the internet.

    Firefox works fine.

  22. Paul M says:

    Just got auto updated and IE stopped working!

    Is this your idea of progress?

    Connection Diagnostics show no problem. Firefox works, so no actual connection problem.

    That’s what I call security!

    Now I see that I’m not the only one.

    Time to find out how to undo the update.

  23. grandpa59 says:

    Regarding problems with IE 6,after latest update.

    Delete update KB942615 and you will be fine with

    Yahoo messenger and IE 6 crashing.

  24. grandpa59 says:

    Forgot to mention,IE7 in my Vista Home Premium

    laptop working fine with that update.My two Media

    Center 2005 towers were crashing (IE 6),after

    uninstalling that update they are working fine again,hope MS do a patch.

  25. Joe Auerbach says:

    I just applied the latest patches to IE6 on an XP SP2 machine, and IE keeps crashing. When I Googled the error code (same numbers for the accessing instruction and the address being accessed), I got only 1 English-languge hit, and that was from last July. I’ll try removing 942615 & see what it does for me

  26. @Joe and grandpa59

    Yes, there seem to be some crashes of IE6 running in Windows XP SP2 related to the urlmon.dll. See also the following thread in the Windows Update-Newsgroup regarding the issue and trying to find some workarounds:

    http://groups.google.com/groups?threadm=eOtTaEJPIHA.4912%40TK2MSFTNGP06.phx.gbl

    Bye,

    Freudi

  27. @Paul M

    You’re running IE7? If true, you may find http://support.microsoft.com/kb/942818/en-us useful in finding the real culprit.

    Bye,

    Freudi

  28. Oliver says:

    @ John A. Bilicki III

    Thanks for the handy hint on conditional comments.  Always nice to be condescended to, always a hoot to have to write extra code because a browser is defective.

    @content n-a-z-i

    > "i understand what your doing and why."

    I’m impressed that you understand what the IE team is doing.  What baffles me is how you do it: they haven’t said anything about what they’re up to, despite repeated requests.

    > "why should mob rule win?"

    For the same reason we all have to put up with IE in the first place: if your customers need support it’s only professional to give it.

  29. @ Oliver

    You’re welcome. The IE blog never helps designers by reminding them about conditional comments. I’m the only Designer who ever actually reminds other designers about them and we’ve had them since IE 5.0.

    Does this mean we should continue having to rely on conditional comments? No it’s ridiculous, but so isn’t everyone complaining on the blog with links to their homepages that still use hacked style sheets.

  30. This update effectively disabled my Internet connection, since it set the default gateway to 0.0.0.0 (in addition to keeping my gateway as number two on the list when running ipconfig /all). However, the Windows control panels showed no problems.

    Details on my blog; http://vega.rd.no/article/vista-update-kb942615-can-disable-your-connection

  31. This update effectively disabled my Internet connection, since it set the default gateway to 0.0.0.0 (in addition to keeping my gateway as number two on the list when running ipconfig /all). However, the Windows control panels showed no problems. This only happened on Vista x64, didn’t see it on my laptop running Vista x86.

    Details on my blog; http://vega.rd.no/article/vista-update-kb942615-can-disable-your-connection

  32. Jeff F says:

    My IE7 had updates automatically installed and I cannot get to the internet as well.  Everything looks fine and I am able to ping other web site from my DOS window.  It looks like I am getting a DNS error through IE.  As it looks like this was a problem back in the Aug updates (which I did not experience) they should have had this fixed.  The only Firewall I have is the windows based Firewall.

  33. Reid says:

    content n-a-z-i wrote:

    """

    no way – why should mob rule win? i say to the ie team hold out. don’t give in. i understand what your doing and why.

    let the info out when your happy to, i’m down with that!

    """

    This is NOT mob rule.  It’s just common sense and pretty much the only business model that works.  As in, if you screw your developers, or completely ignore them, they’ll go elsewhere.  But, if you listen to them, and answer questions, then they’ll stay.  Doesn’t have to be all of them, but the IE Team has to at least acknowledge that Web Developers exist.

    Btw, I’d (and I imagine we) would appreciate if you’d stop making strawmen:

    http://en.wikipedia.org/wiki/Strawman

  34. Bill B says:

    I just removed this update because after installing, I could not get IE to work.  It seems to have removed IE’s ability to use DNS.  Using WireShark to sniff out packets, the computer would only use netBIOS for name resolution.  No DNS querries from IE at all.  

    NSLOOKUP, PING, FTP, Remote Desktop all worked fine.  What a mess!

  35. Jim says:

    Seems this problem is widespread and needs to be addressed..  Im fully for keeping things secure but having a business which now is running at 50% due to ie errors all day long for practically all our staff and also having the same issues on my home laptops after this update must mean this aint right or acceptable?

    Does this mean if someone finds another security hole somewhere MS can come along, take evasive action and disable ie altogether via updates?  

    Kinda not 2 happy right now!

  36. Andrey_Ra says:

    Same effect guys, IE7 on Vista x86 + 942615 update = DNS Errors.

  37. flip says:

    xml4 and 3 are autoupdating and never stopping

    stupid

  38. Nearly_X_IEUser says:

    How about making the thing work, or, perhaps, better still, allow me to remove it all with one click?

    *****

    Last diagnostic run time: 12/15/07 18:30:07

    Network Adapter Diagnostic

    Network location detection

    info Using home Internet connection

    Network adapter identification

    info Network connection: Name=Local Area Connection, Device=VIA Compatable Fast Ethernet Adapter, MediaType=LAN, SubMediaType=LAN

    info Network connection: Name=Local Area Connection 2, Device=Motorola SURFboard SB5101 USB Cable Modem, MediaType=LAN, SubMediaType=LAN

    warn This machine has more than one Ethernet or more than one Wireless adapter

    info Redirecting user to support call

    info Redirecting user to support call

    HTTP, HTTPS, FTP Diagnostic

    HTTP, HTTPS, FTP connectivity

    warn HTTP: Error 12029 connecting to http://www.microsoft.com: A connection with the server could not be established  

    warn HTTPS: Error 12029 connecting to http://www.microsoft.com: A connection with the server could not be established  

    warn FTP (Passive): Error 12029 connecting to http://ftp.microsoft.com: A connection with the server could not be established  

    warn HTTP: Error 12029 connecting to http://www.hotmail.com: A connection with the server could not be established  

    warn HTTPS: Error 12029 connecting to http://www.passport.net: A connection with the server could not be established  

    warn FTP (Active): Error 12029 connecting to http://ftp.microsoft.com: A connection with the server could not be established  

    error Could not make an HTTP connection.

    error Could not make an HTTPS connection.

    error Could not make an FTP connection.

    *****

    Yours,

    Nealry X IE User.

  39. ahmed says:

    Hello,

    i was using ie7 and everything was fine, then i installed the cumulative security update and now ie7 doesn’t work and each time a go to a webpage it says,

     Internet Explorer cannot display the webpage

      Most likely causes:

    You are not connected to the Internet.

    The website is encountering problems.

    There might be a typing error in the address.

      What you can try:

        Diagnose Connection Problems  

        More information

    I am using ie7 on a tablet pc with vista business. i downloaded safari for windows and it is working, why not ie7?????

    thanks

  40. Pat says:

    I had the same problem. I went through all diagnostics, tested my wireless connection, cable line connection- all worked. Thats when I realized that it was IE. Then I looked at recent updates. Sure enough, this one came through just before IE stopped working, so I removed it and what do ya know- IE works again.

    Whats going on? Are we missing something?

  41. Nearly_X_IEUser says:

    OK fixed it,

    I had 2 firewalls running (Sygate and ZL) (one not obviously – ZL). Shut that one down and now all is fine.

    There should still be an easier uninstall or better diagnostics.

    Yours,

    Nealry X IE User.

  42. Laura says:

    PROBLEM:

    "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

    "AppName: iexplore.exe AppVer: 6.0.2900.2180 ModName: urlmon.dll"

    SOLUTION:

    http://support.microsoft.com/kb/942367

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMainFeatureControlFEATURE_PROTECT_DECOMPRESSION_FILTER_FROM_ABORT_KB942367]

    "*"=dword:00000001

  43. Thanks for the links :). They are very helpfull.

  44. pjb says:

    Had to uninstall update to re-enable web access via IE7 on Vista. Thanks for the link Freudi (http://support.microsoft.com/kb/942818/en-us) – checked Symantec site but no mention of update for updated IE7 file signatures.

  45. Araba Resimleri says:

    ben vista y─▒da be─čenmedim ie8 di hiç be─čenmedim güvenli─čide umrumda de─čil ..