IE February Security Update is Now Available


The IE Cumulative Security Update for February 2008 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses 4 remote code execution vulnerabilities. This security update addresses these vulnerabilities by modifying the way Internet Explorer handles HTML and validates data, as well as by setting killbits for an ActiveX control. For detailed information on the contents of this update, please see the following documentation:

This update is rated “Critical” for IE5.01, IE6 Service Pack 1 on Windows 2000, IE6 on Windows XP, IE7 on Windows XPSP2 and IE7 in Windows Vista, IE6 on Windows Server 2003, and IE7 on Windows Server 2003.

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Edit: Removed space in ActiveX

Comments (57)

  1. Tester says:

    Is the Vista IE7 security update already included in Vista SP1 final?

  2. Jason says:

    Since the comments were cut short on the IE8 "closer-to" standards mode, can someone from MSFT chime in here and give us a status on this?

    Needless to say, there were several development communities that:

    A.) Did not like this approach

    B.) Were unclear as to the approach in IE9, IE10, etc.

    C.) Confused because the hack wasn’t even posted directly in the IE Blog

    D.) Were unsure where to submit feedback on this suggestion

    E.) Were interested in knowing when and where the public bug tracking is going to be set up so that when the IE8 Betas come out we know where to file issues and regressions

    F.) Suggested other triggers/concepts (e.g. Legacy Rendering button) that got no comments from MSFT.

    In addition, THERE WAS ZERO clarification on what this mode included in terms of CSS fixes, JavaScript fixes, innerHTML fixes, and DOM fixes.  Can you please explain?

  3. Vaughn says:

    Does this IE cumulative fix the problems that were reported with MS07-069?  Does it also modify ActiveX behavior other than the kill bit update mentioned?  I’ve heard that an upcoming IE cumulative will modify ActiveX behavior, so I just want to confirm if this is it or if that is still planned for a future cumulative update.

  4. Steve Moede (MVP Outlook) says:

    Just applied the update to a couple of Windows XP desktops and the "click to activate" hasn’t been removed from IE7.

  5. Kristen <MSFT> says:

    @Tester

    Yes, the February IE Cumulative Update is already included in Vista SP1

  6. Kristen <MSFT> says:

    @ Steve Moede and Vaughn

    The "click to activate" behavior change will be broadly distributed in the April 2008 IE Cumulative Update.

    http://blogs.msdn.com/ie/archive/2007/12/11/ie-automatic-component-activation-preview-now-available.aspx

  7. gabe says:

    according to firefox places bookmark thing ive visited this site over 900 times in the past 3 months (i cant believe it)

  8. Gates says:

    Thanks for the security updates.

    However, after 666 (!!!) comments on "Compatibility and IE8", I think that you owe the community a response. Until that issue is dealt with satisfactorily, the future of IE is ambiguous.

  9. Eric says:

    Installing today’s Cumulative Security update undoes the effects of the "IE Automatic Component Activation Preview".

  10. Eric says:

    Installing today’s Cumulative Security update undoes the effects of the "IE Automatic Component Activation Preview".  Additionally, the Component Activation Preview cannot be re-installed, even after un-installing (it says "This update does not apply to this system").

  11. Alex says:

    I’m with Jason, gabe and Gates.  Where’s the update on IE8?

    It took months of *itching and moaning for you guys to even acknowledge major members of the community telling you that you were ignoring us, and Molly to talk to Bill Gates to get the hat to finally drop!

    When Bill leaves MS, are we going to shut down this Blog because no one will be motivated to open the discussion with the community?

    I’m sick and tired of this garbage!  Announce when the first IE8 Beta will be available, Announce what ***EXACTLY*** is fixed (or better yet slated to be fixed) with IE8s almostStandards mode, Announce the !@#$%ing Bug Tracking details already! and most importantly Announce who is currently the moderator of this Blog because they need to step up and keep this blog open.  Shutting down the last active post is POINTLESS!

    Is IE8 going to be on XP?, is IE8 going to support SVG?, is IE8 going to support XHTML PROPERLY?

    DOM Fixes?!?! is .getElementById( ) going to FINALLY BE FIXED? – the excuse for leaving it out of IE7 was LAME at best and won’t be tollerated for 2 releases.

    How bout .setAttribute( ) – could that be any more messed up?!

    Sorry guys – but I’m absolutely fed up with the lack of info.  Telling us that an un-implemented method being fixed is NOT anything you need to worry about with investors – just let us know what is going on!!!!

    Cut the bull, cut the "Don’t Break The Web" mantra (we’re sick of it, it was YOU that BROKE it!)

    Just start posting information!  What is fixed in IE8 (in your internal builds, surely that is n’t a secret!)

    Can I add a RADIUS to a border yet? I know its only 2008 and all, but this is ULTRA BASIC functionality folks!

    Has the IE UI (chrome) had an overhaul yet? That options dialog is atrocious!

    Get on with it, talk to us, open up the monthly chats again, open up the bug tracking, and ACT LIKE A REAL WEB BROWSER DEVELOPER!

    I won’t even ask about .getElementsByClassName( ) just because every other browser is already WAAAY on top of this doesn’t mean that IE has even thought of it.

    Alex P.

  12. Anonymous says:

    I am not a Microsoft employee, but:

    @Jason:

    B.) Were unclear as to the approach in IE9, IE10, etc.

    This was answered.  If it says IE9, then IE8 uses IE8 mode as its best effort.  "edge" means infinity, basically.

    F.) Suggested other triggers/concepts (e.g. Legacy Rendering button) that got no comments from MSFT.

    Actually, it did get comments, but it’s kind of buried in there, and some further answers are only to be found on cwilso’s personal blog.  There is a) doctype switching for future doctypes (like HTML5), b) a registry setting to force standards mode, and c) a UI setting that forces standards mode.  None of these are real solutions for average joe user accessing the sites on the web today, so existing doctypes continue as they were in IE7 unless you do one of these things to override and opt-in to standards.

    @Alex

    "or better yet slated to be fixed"

    They have specifically stated that they aren’t going to announce anything anymore until they have working code, so that’s not likely going to happen.

    "What is fixed in IE8 (in your internal builds, surely that is n’t a secret!)"

    Apparently it is.  I doubt the IE team is cackling in a cave full of half-eaten children, proud of themselves for pissing you off with lack of non-secret information.

    Don’t have answers for the rest of it any more than anybody else does.

  13. Al Billings says:

    Firefox 3 Beta 3 is also available today. If you’re tired of the lack of news around IE8, come take a look at the beta of Firefox 3.

    The announcement is here: http://developer.mozilla.org/devnews/index.php/2008/02/12/firefox-3-beta-3-now-available-for-download/

  14. Ron says:

    Wait for Mix in March, there’ll be lots of IE8 news then.

    I don’t know why we have to wait though…

  15. Tom says:

    Thanks Al Billings!

    I’m already a Firefox user, but Firefox 3 looks even better!

    and yes I too am tired of waiting for IE news. too bad you and Dave left.. Image and public relations for IE went severely downhill after your departure.

    Maybe by IE9/IE10 they’ll get some new management in that cares about the developer community?

    I’d pay to see Balmer do an "IE Developers!, IE Developers!, IE Developers!, IE Developers!, IE Developers!, IE Developers!" enthusiastic speech at Mix08, but without some serious attitude changes in the IE team I doubt IE will ever regain its Image.

  16. Ron says:

    > attitude changes in the IE team

    Don’t blame the team, it’s the good-for-nothin managers that are holding the IE team back.

  17. anphanax says:

    "Cut the bull, cut the "Don’t Break The Web" mantra (we’re sick of it, it was YOU that BROKE it!)"

    I don’t think the blame can be placed on anyone alone for that problem.

    Netscape introduced quite a bit of non-W3C-standard tags (a few of which are now standard): NOBR, WBR, CENTER, FONT, BLINK, ILAYER, LAYER, FRAME, FRAMESET, EMBED, SCRIPT, NOSCRIPT, NOLAYER, NOFRAME, NOEMBED.

    They had their own DOM which thankfully is dead (document.layers). Now you just need to work on making sure document.all does not work in almost-standards mode (last I checked it was slower than document.getElementById(), so there is not really a good an excuse to use it in new code).

    They even tried their own style sheet language (JSSS – JavaScript Style Sheets), but it did not last long.

  18. Khristopher says:

    It seems that installing today’s updates it made "Click to activate" return after installing that previous update to get rid of it.

    I tried installing that update again, to see if I could get rid of it again, but it still won’t work. So today’s updates must have broke it or something.

    Back to "click to activate" again for me 🙁

  19. Chad Grant says:

    Great, but I stopped using IE. FYI

  20. Al Billings says:

    Well, I appreciate the comments about me and Dave.

    I’m really not sure what is going on with the blog here these days. I speak to a few IE people on occasion still (like Chris Wilson) but a number of my closer friends and colleagues that I used to work with have either left the team since IE7 shipped or left Microsoft entirely. So, I don’t have a lot of insight into current goings on (which I am sure is probably fine with people since I work on the Holy Browser now).

    That being said, the blog certainly does seem to lack a certain personality now. I’m not sure if it was always that way and I just now have an outsider view but there was originally a goal that the blog not simply be a PR vehicle. Announcements of current patches and little else don’t exactly lend themselves to a lot of community.

    I don’t even run IE as a browser much anymore. My home machine is a nice "cheesegrater" Mac Pro and my laptop is a Dell running Unbuntu (viva la revolucion!).

  21. Webdesign says:

    Installing today’s Cumulative Security update undoes the effects of the "IE Automatic Component Activation Preview".  Additionally, the Component Activation Preview cannot be re-installed, even after un-installing (it says "This update does not apply to this system").

  22. After applying the cumulative security updates for IE7 or IE6 (KB944533), you may want to download and install KB947518: http://support.microsoft.com/kb/947518/en-us

    Bye,

    Freudi

  23. Oh yeah! says:

    Click to Activate is now back!?!?!?!

    Thanks a lot, that was a real smooth move!

    Every day I end up using Firefox more and more.

    (cough, "the Holy Browser")

    Yeah, it is a bit of a religious experience when you move on to something so much better than IE and your eyes glaze over and you ask yourself. "Why did I wait so long to switch! I have seen the light!"

  24. Disappointed says:

    It would be valuable to the community for Microsoft to explain why, after years of IE critical security bugs and the “Trustworthy Computing” initiative, there are still so many vulnerabilities in this product family? Is Microsoft aware of the cost to the end user of monthly patch/reboot cycles? Do they realize, as a result of these monthly patches, that most of your OS’s, and resident applications, haven’t been able to stay up for over 30 days for years now?

    Wasn’t the goal of Gates Security intiative to require architects to reconsider the basic architecture which left all these avenues of attack open?

    What happened?

  25. Is this fixed in IE8? says:

    Is this bug fixed in IE8?

    http://msdn2.microsoft.com/en-us/library/ms536437(VS.85).aspx

    document.getElementById() is broken in MSIE

  26. Dusha says:

    After installation of recent security updates IE7 refuses to connect to any server.

    LAN, ICQ, Firefox are fine.

    Operating system is XP SP2.

    Uninstallation does not help – IE6 does not connect as well now. Reinstallation is also useless.

    Any comments from IE team?

  27. FarStrider says:

    wheres the update for vista computers i have sp1 rc1 refresh 1

  28. Thanks Al Billings says:

    Yes just started downloading it now, been mostly impressed with the beta 2.

  29. Mike says:

    Yes just started downloading it now, been mostly impressed with the beta 2.

  30. Jennifer B says:

    I am having this same issue.  Its very inconvenient, as I am on travel.  *Please* post something helpful.

    _____________________________________________

    After installation of recent security updates IE7 refuses to connect to any server.

    LAN, ICQ, Firefox are fine.

    Operating system is XP SP2.

    Uninstallation does not help – IE6 does not connect as well now. Reinstallation is also useless.

    Any comments from IE team?

  31. n-blue says:

    Terry,

    After applied this patch, IE is more freqeuncy crash. It crashed and rstart for more than 20 times for 5 hrs of use. IE is my main browser.I am not sure why but seem relate to (the never resolved) Adobe Flash plugin.

  32. @Dusha and Jennifer B

    See http://support.microsoft.com/kb/942818/en-us for the most likely cause of the issues you’re reporting.

    @n-blue

    Which IE version on which Windows version are you using?

    Bye,

    Freu"Whyever my previous posting didn’t came through"di

  33. Dusha says:

    No, I use Window firewall. And disabled AV shortly for check.

    And the things are sometimes even more funny: at the first start I can open a site, then close IE, start again – get error message.

    Even more: open the same site in Firefox, and then at next start IE can open it again (but again ony once).

  34. Dusha,

    which "AV" exactly please?

  35. I’m really looking forward to XP SP3, I presume since Vista SP1 has been shipped out XP-SP3 will get much more attention now. Balmer needs to start screaming designers and I could go in a million directions with that. If Vista had the touch of designers or at least competent designers I’d be using it right now. I’d be able to click the cut copy or paste buttons with text labels in Windows Explorer ONCE instead of having to click once to drop down an "organize" menu and left go to not have the buttons selected but then have to make the effort to click a second time! That isn’t progress! Don’t screw stuff up that worked fine to begin with! So to that I say bring back the IE6 GUI and build on top of it for IE8. Ensure regular folks see the key things they need to ease the use of their interaction: a visible download button with the word ‘Downloads’ will be recognized by ANYONE. Who doesn’t know what a download is? Firefox fails by default but at least I can customize it after it’s installation. This is good consistent design and it minimizes the number of steps a regular non-tech-savvy human being has to take to achieve a goal. So say it with me! Designers! Designers! Designers!

    I also think a trigger in CSS is easier to implement especially if we’re talking about using conditional comments to include style sheets for specific version of IE (IE8) and conditional comments validate just fine.

    @ Alex, seriously the ranting doesn’t do any good because they’ve already long started fixing IE. I say give them all the time they need. Everyone hates the issues with IE, who here thinks that they’ll all be fixed in a heart beat? If there is a bug there is a work around, IE has been out for years! What are a few lousy extra months to us if it means IE is that much better of a product?

  36. Bill says:

    @John A.

    A few extra months? Sure they can fix the bugs, but we don’t feel encouraged that they will considering they’ve left us high and dry for years!

    If they posted details of:

    1.) If the IE8STDS trigger is used to trigger correct DOM implementations.

    2.) Which DOM implementations they hope* to fix

    we would all be better off.

    * By "hope", we are not asking for a firm commitment.  We are asking for information on where they are headed.  Today we code horrible hacks to try and get around all of these bugs.  I want to know that there is a glimmer of light on the horizon that this stuff will get fixed someday.

    At the moment, they don’t even aknowledge the SPECIFIC bugs that they have.  They just indicate that there are "some bugs in Internet Explorer" that they are looking into.

    I don’t want to get to the Beta/RC releases only to get: "Oh, we didn’t know that X was broken, we’ll look into that for the next release"

    and before you claim that won’t happen… be well aware it happened OFTEN when IE7 was coming out.

  37. Randall Lind says:

    Unable to install on my file server which is running XP Pro.

    I get a window popup saying can’t copy Urlmon.dll so how do I fix that?

  38. n-blue says:

    @Ottmar Freudenberger

    IE7 on Vista Ultimate.

  39. @n-blue

    Running the IE7 without AddOns prevents your IE7 on Vista to crash? Start -> run -> iexplore.exe -extoff

    Bye,

    Freudi

  40. Dusha says:

    _____________________

    Dusha,

    which "AV" exactly please?

    _____________________

    I have Kaspersky Internet security 7.0

    Firewall and proactive defense are disabled and iexplore.exe is added to trusted zone.

  41. @Dusha

    Hm, anyway, you might want to have a look into http://support.kaspersky.com/faq/?qid=208279504 and check twice, you can’t find iexplore.exe and/or Internet Explorer in there beeing blocked. See also http://support.kaspersky.com/kis7/firewall?qid=208279638 and replace "Firefox" with "Internet Explorer" and "firefox.exe" with "iexplore.exe" in mind.

    HTH,

    Freudi

  42. @Dusha

    See also http://forum.kaspersky.com/index.php?showtopic=36390&view=findpost&p=326977 and section "3)I have accidentally blocked a module" in there.

  43. Dusha says:

    @Ottmar Freudenberger

    At first: thank you for your feedback!

    I’m completely lost with these problems, but it looks like I’m one of a huge croud having problems with new update :/

    _____________________________

    you might want to have a look into http://support.kaspersky.com/faq/?qid=208279504 and check twice

    …..

    See also http://support.kaspersky.com/kis7/firewall?qid=208279638 and replace "Firefox" with "Internet Explorer"

    ……

    And another one for Dusha:

    http://usa.kaspersky.com/support/home-support.php?selected_faq_id=208279464

    _____________________________

    I do not use KAV firewall option, it’s disabled.

    And I checked in settings – all checkmarks are green – allowed.

    _____________________________

    See also http://forum.kaspersky.com/index.php?showtopic=36390&view=findpost&p=326977 and section "3)I have accidentally blocked a module" in there.

    ______________________________

    I do not use proactive defense option, it’s disabled.

    Moreover – I stopped and unloaded KAV – IE does not connect anyway.

  44. Dusha says:

    !!!!!!!!!!!!!!!!!!

    Without comments from my side…..

    ->

    I found an option to run IE without add-ons – it did run!

    At start-up a configuration page appeared (setting fishing filter and so on).

    Now it runs.

    Could someone comment on this?

  45. @Dusha

    In case IE7 is running without AddOns beeing loaded, an AddOn is most likely causing the issue. Disable each AddOn (I would start whith the ones not coming from Microsoft) after the other via "Tools | Manage AddOns", restart IE7 afterwards to check whether IE7 can connect to sites. When IE7 gets connected once, you’ve identified the AddOn causing the issue. You may want to try a new version of the AddOn or uninstall the related application via Software in case you don’t think you make use of the AddOn anyway.

    I.e. some versions of Google Toolbar and/or Google Desktop Search have been causing similar issues in the past.

    Bye,

    Freudi

  46. stevenballmer says:

    The new hack for IE server encryption escalation protocols (SEEP) is now in the wild and being spread over p2p networks! This update blocks the SEEP from weeping and hackers from peeping at what you are keeping! Install now or you will be reaping this stuff from all over the internet!

  47. james says:

    @Dusha,

    Also if you find an addon causing problems – report it here so that others can benefit from your findings. 😉

    We would all hate to be blaming IE for an issue that was really due to a buggy addon.

  48. ian says:

    This error is only with IE7 I have tested on different computors

    I have used embedded pdf on my website for over 6 months with no problems. Over the last two days yahoo have been working on their servers correcting other issues. Now when I open the page on my site the pdf file opens in a adobe reader as a temp file ie acr08.temp. I know it is a server error because my other yahoo sites (different ip) where i also use pdf files in this way were working fine, until yesterday when these problems migrated to these sites too.

    http://www.casavarese.com/Italian_property.html example effected page.

    Note. in firefox page opens correctly.

    I noticed even direct links to the file do not open up in IE7

    http://casavarese.com/italian-property/varese-real-estate.pdf

    when i do a msn search and click on another sites pdf file, the files opens normally within IE7

    I contacted yahoo and their response was " IE7 must have been updated it is not our problem" they gave no answer when i asked why there was no problem with embedded pdf files on non yahoo server hosting.

    Any help or comments would be helpful, what server issue would cause pdf file to behave in this way with IE7 ?

    many thanks Ian

  49. @ian

    Which version of Adobe Reader are you using? Have you upgraded to version 8.12 lately? Does reinstalling/reparing your Adobe Reader version reslove the issue?

    Which Windows version are you using BTW?

    Bye,

    Freudi

  50. ian says:

    i changed the embedding code today, by luck i found a site that used two different ways to embed a pdf, 1 was working the other showing the same problems as mine so changed to working code..

    many thanks for you time

    admins you can remove the links if u like

  51. Webhosting says:

    I’m really looking forward to XP SP3, I presume since Vista SP1 has been shipped out XP-SP3 will get much more attention now. Balmer needs to start screaming designers and I could go in a million directions with that. If Vista had the touch of designers or at least competent designers I’d be using it right now. I’d be able to click the cut copy or paste buttons with text labels in Windows Explorer ONCE instead of having to click once to drop down an "organize" menu and left go to not have the buttons selected but then have to make the effort to click a second time! That isn’t progress! Don’t screw stuff up that worked fine to begin with! So to that I say bring back the IE6 GUI and build on top of it for IE8. Ensure regular folks see the key things they need to ease the use of their interaction: a visible download button with the word ‘Downloads’ will be recognized by ANYONE. Who doesn’t know what a download is? Firefox fails by default but at least I can customize it after it’s installation. This is good consistent design and it minimizes the number of steps a regular non-tech-savvy human being has to take to achieve a goal. So say it with me! Designers! Designers! Designers!

  52. Elmer Fudd says:

    IE7 was working fine up until a couple of weeks ago. I’m now major peed off with the continual crashing or freezing.

    I am not alone.

    I’ve done the switch offs, switch ons, RIES, Uninstall, uninstall my BHO’s (IE7Pro & McA site adviser, then uninstalled IE7, Regcleaned, rebooted, disk clean & defrag, reboot, reg clean & manual search for all unrequired entries, reboot, reinstall 7, reboot twice (???), set up 7 send error messages, reinstall BHO’s send error messages turn off BHO’s send error messages ad infinitum.

    I’m spending more time these days sending error messages to MS than I am searching the web.

    I don’t visit risky sites (maybe here?), I would give you a list but History doesn’t work, never has in last couple of weeks, downloads minimal and scanned before opening (A.V.G.)

    Just wish I could get on with the tracking cookies I pick up off FF, I’d be gone like a shot. pity really, I liked IE7 before all this started happening

  53. one pissedoff msn user says:

    cant get to my emails via msn live login, been told MicroShite are doing a server update..

    Has B.Gates got 666 on his head somewhere…

    I cant get any answers from microsoft either!

  54. Arun Boppudi says:

    It’s good if you put the latest news and details about IE 8  on Microsoft website or somewhere else.

  55. Dusha says:

    Fine….

    I was too fast to say "OK".

    First, the trick with disabling add-ons did not work at my home PC – IE7 did not start anyway.

    Second, restarting "cured" PC (I usually leave my  business comp always on) brought the problem back – IE "can not display a web page" independently of add-ons being enabled or disabled.