IE August Security Update Now Available


The IE Cumulative Security Update for August 2008 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses six remote code execution vulnerabilities. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles the error resulting in the exploitable condition. For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all supported versions of Internet Explorer. This security update is also available for Internet Explorer 8 Beta 1 for Developers on Windows Update.

IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments (66)

  1. Anonymous says:

    What about KB938127? Still gonna leave XP SP3 IE 7 users unprotected by not releasing an updated installer that would install on XP SP3?

    Just to clear anyone that thinks KB938127 is included in XP SP3, only the IE6 version of it is included. If you install IE7 7.0.5730.13 on XP SP3(the only version that can be installed, the first IE7 release for XP SP2 won’t install on XP SP3) you’ll be left unprotected and vulnerable because IE7 installs an older dll version of vgx.dll (7.0.5730.13) & MS refuses to update the KB938127 patch installer to install newer patched vgx.dll (7.0.6000.20628) on XP SP3.

    This issue has been reported since APRIL 2008, before XP SP3 went final. This is beyond ridiculous.

  2. Anonymous says:

    …"All of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer."…

    Isn’t this the same line with every IE update?

    Re-worded.

    "Merely surfing in IE CAN completely compromise your PC"

    Wow!, so glad I don’t use IE.  Tying it to the OS was ***THE*** biggest mistake ever.

  3. Anonymous says:

    geneva– if the other browsers were honest, every one of their updates would say the same thing.  

    "tying it to the os" has nothing to do with it.  at least with ie on vista you have protected mode.

  4. Anonymous says:

    If you don’t use IE, this blog is irrelevant to you.

    Why waste bandwidth posting a comment on something irrelevant?

    Does this update apply to IE8b1?

  5. Anonymous says:

    even if one does not use ie for browsing a lot of  ppl have to test there sites in it

    me i use Firefox all the time but still use ie to test sites

  6. Anonymous says:

    Please…stop sending PDF’s in the newsletter, it’s really obnoxious, no less then having to wait forever for any other Adobe program to finish loading.

    Also none of the Microsoft website’s remember my password…EVER except for hotmail…and I don’t use hotmail for email!

    I just received some notification on MSN Messenger, and because Microsoft sites don’t remember my password *NOR* tell me once signed in where I can view the message I suppose I appear to be ignoring people.

    …and because Microsoft’s marketing department can’t make up it’s mind (MSN, Live, whatever will be used in conjunction with Windows 7, etc) I’m not sure where to find this notification.

  7. World says:

    Very important security update is now available. Great work. Thanks a lot.

  8. Anonymous says:

    the security update appears to be causing a problem, where ie cant properly find the dns for common sites.  I have tried randome computers at diffrent locations and once the patch is installed these dns probpems appear.

  9. @spencer

    Which IE version are you running on which Windows version?

    What’s the exact error message?

    Which "security applications" are running in the background?

    Did you verify that http://support.microsoft.com/kb/942818/en-us is *NOT* the cause of the issues you’re seeing?

    Bye,

    Freu"No issues as of now"di

  10. Anonymous says:

    I reported the KB938127 issue four months ago and there was still not any update yet. Even though WMP 11 gets better treatment where updated are extended to offer to XP SP3. So where the hell is the updated KB938127 for IE7 for XP SP3? Will you release it within 2008, or maybe before 3008?

  11. Anonymous says:

    @mocax

    I would love to not using IE in any occasion in the future.

    Unfortunately, due to IE’s proprietary and non-standard compliant codes, IE is going to stick around to render those pages infested with IE….

    And not to forget Windows Update site…

    Sad but true fact >_<

  12. Anonymous says:

    ""tying it to the os" has nothing to do with it.  at least with IE on vista you have protected mode."

    Read the advisory: IE7 on Vista has ‘HTML memory corruption remote code execution’ rated ‘critical’ like in XP – meaning that Protected Mode protected nothing in that case. The only OSes not rated ‘Critical’ on that vulnerability are server OSes, that prevent running Jscript code in ‘Internet’ zone.

    Workaround: don’t run Jscript outside of Limited User or Guest accounts.

    Reading the Secunia advisory hints at… Lousy dynamic DOM handling. Fixing took 4 months since ZDI discovered a bug that corrupts memory when one constructs a table through DOM methods.

    I wonder: would actually updating (let’s make it "overhaul") IE’s DOM engine be one way to prevent such vulnerabilities? I dunno, at the same time we could get dynamic DOM 1 and some DOM 2 support, and some W3C event model support?

    Nah. It would allow AJAX programmers to create web apps running with the same code on most browsers. We can’t have that.

  13. Anonymous says:

    "meaning that Protected Mode protected nothing in that case"

    Bad summary.  Correct meaning is that Microsoft doesn’t pretend that Protected Mode is a panacea.  Remote code execution, even with limited privileges, is considered critical.  The reality is that such exploits are significantly more dangerous in non-Protected Mode applications (e.g. every other browser).

    Anyone who knows anything about software development knows that simply rewriting code doesn’t result in fewer bugs.

  14. Anonymous says:

    All right, and today release IE8b2 😉

  15. Anonymous says:

    @mocax,

    Define ‘use’?

    Do I use IE for casual use? No.

    Do I use it for my initial developing? Again no, but part of the reason for this is that the IE7-IE8’s Javascript debugger crashes on my Vista Business edition. I have to load up the MS provided VirtualPC images if I want to debug ANY version of IE. Yes, I should be doing this for IE6, but I shouldn’t have to do this for anything else because I should be able to use the JavaScript debugger on my copy of IE8, which I should be able to turn into IE7 rendering mode.

    Does anyone know how to replace the IE8 JavaScript debugger with Visual Web Developer? I’ve got that installed on my IE6 and IE7 VMs and am in love, but something seems off when trying on my work machine here.

    Is IE8b2 still on schedule for this month?

  16. geldlening says:

    I’m glad these remote code execution vulnerabilities are resolved. Infection would be just too easy..

  17. Anonymous says:

    @Tester

    Microsoft is working on patching this vulnerability and should release a patch very soon.  

  18. Anonymous says:

    @John A. Bilicki III re: the PDF in the newsletter.

    Quite true, but PDF is Waaaaaaaaaaaaaaay better than sending a propritary Word format document like they did previously.

    PS if you are using the Adobe PDF viewer, you are right, it is slow as molasses.  Use a better viewer.

    As for the others, no, tieing to the OS is a bad thing (has been discussed and proven on this very blog many times).

    As for the other browsers, no, they are more secure by design.  There is no JavaScript commands for "get me all directories, drives, files, etc.".  Only IE naively support JScript, which opens up a can of worms with this kind of access in a script layer designed for UI interaction.

  19. Anonymous says:

    >tieing to the OS is a bad thing (has been discussed and proven on this very blog many times).

  20. Anonymous says:

    >tieing to the OS is a bad thing (has been discussed and proven on this very blog many times).

  21. Anonymous says:

    >tieing to the OS is a bad thing

    You obviously don’t know what you’re talking about. ALL browsers are tied to the OS they run on. Try to run the Mac version of Safari on Windows, or the Windows version of Firefox on Mac.

    > proven on this very blog many times.

    Lie.

    > As for the other browsers, no, they are more secure by design.

    Lie.

    >  There is no JavaScript commands for "get me all directories, drives, files, etc.".  Only IE naively support JScript, which opens up a can of worms with this kind of access in a script layer designed for UI interaction.

  22. Anonymous says:

    >tieing to the OS is a bad thing

    You obviously don’t know what you’re talking about. ALL browsers are tied to the OS they run on. Try to run the Mac version of Safari on Windows, or the Windows version of Firefox on Mac.

    > proven on this very blog many times.

    Lie.

    > As for the other browsers, no, they are more secure by design.

    Lie.

    >  There is no JavaScript commands for "get me all directories, drives, files, etc.".  Only IE naively support JScript, which opens up a can of worms with this kind of access in a script layer designed for UI interaction.

  23. Anonymous says:

    >tieing to the OS is a bad thing

    You obviously don’t know what you’re talking about. ALL browsers are tied to the OS they run on. Try to run the Mac version of Safari on Windows, or the Windows version of Firefox on Mac.

    > proven on this very blog many times.

    Lie.

    > As for the other browsers, no, they are more secure by design.

    Lie.

    > There is no JavaScript commands for "get me all directories, drives, files, etc.".

    IE does not include such commands either.

    > Only IE naively support JScript

    Lie. ALL web browsers natively support ECMA262, the formal name for Javascript/JScript.

  24. Anonymous says:

    Jacob,

    Firefox is perfectly capable of reading files from your drive, writing them, running other binaries, etc through the XPCOM JavaScript interface. By flipping "signed.applets.codebase_principal_support" to "true", code can prompt the user to grant it rights to do those things (and it didn’t look like the system had much thought put into it either – which is why it’s a good thing by default they keep it off).

    "if you are using the Adobe PDF viewer, you are right, it is slow as molasses.  Use a better viewer."

    It’s gotten much better with load time from my experience (version 8.x, need to upgrade to 9.x). After the initial installation and load, it runs fairly quickly. I would recommend anyone that is using it turn off the JavaScript capabilities in Adobe Reader. If I need the JavaScript functionality for a specific PDF I trust, I’ll allow it then. Whitelisting > Blacklisting.

  25. bcthanks says:

    > As for the other browsers, no, they are more secure by design.

    Other browsers are *designed* to be more secure, if only because IE is a perfect example of how pathetic a browser can be.

    ActiveX controls are a perfect example. There are so many poorly written ActiveX controls – many of them by 3rd parties (look at Intuit’s stuff). Who was the idiot that designed IE to host *any* ActiveX control?

    Why is it only recently that IE7 disallows ActiveX controls by default? Why was the Add In Manager added to IE6 three years after its initial release, well after so many ActiveX controls were found to be exploitable? Why is it that there is yet another ActiveX Kill-Bit update this month – because more exploitable controls were found?

    Why aren’t all ActiveX Kill-Bits set by default?!? The commercial software industry has proven it is incapable of writing reliable software, so why is code trusted by default?

    IE was designed for a trusted environment. It is definitely not designed to be security concious.

    Now, whether other browsers are more secure in practice is another question. Just because Firefox is designed to be more secure does not automatically mean it is more secure – good programmers still make mistakes.

    But it certainly helps to start with a secure *design*

  26. Anonymous says:

    "Why aren’t all ActiveX Kill-Bits set by default?!?"

    That’s like asking why Firefox doesn’t disable all extensions by default.  Or asking why Windows doesn’t just refuse to run installed programs by default.

    The default is that the ActiveX control isn’t even installed.  AFAIK, firefox does not have an equivalent — although they do offer a somewhat unified secure update channel for extensions.

    Not to mention that this would require 2^128 entries to cover every possible CLSID.  I’m not entirely sure there’s that much hard drive space in the world.  The point of ActiveX killbits is for a vendor to give up the trust that the user granted by installing the ActiveX control when the vendor decides that its software no longer deserves that trust.

    What specifically is the design flaw in security here, that is not applicable to Firefox 3?  Security flaws in the original release of IE6 aren’t really germane to the topic any more than security flaws in Netscape 5 are to FF3.

  27. Anonymous says:

    Wonder why so many Anti IE people are making comments, do they have nothing better to do?

  28. Anonymous says:

    I guess I’ll have to wait for the second beta, because some of the sites I work with are still displaying very weird in IE8 and security updates won’t help it…

  29. Anonymous says:

    @SPARTAN

    Actually, I would preferred IE out of sight and replaced with another piece of software designed specifically to download MS files (Like Windows Update).

  30. Anonymous says:

    @I can’t see

    In Vista, you don’t need IE to download Windows updates. What other MS files are there?

    @MS Team (IEBlog): Any news regarding when Beta 2 will come out? Everytime I look at the blog and don’t see the news I’m getting sad!^^

  31. Anonymous says:

    @Daniel

    I am not using Windows Vista and will not plan to use Windows Vista in the future. I got dozen of friends who will not be swayed by MS marketing.

    I am anticipating the upcoming Windows 7. And for Windows Vista, forget about it. Treat it like Windows ME.

  32. Anonymous says:

    @I can’t see:

    I though so, I just wanted to mention that IE is absolutely going to be unnecessary as soon as one leaves WinXP for a "newer" OS.

    Except that you should still update it as it’s a big part of the OS anyway…

  33. Anonymous says:

    @I can’t see

    judging from the existing shots of Windows 7, it will just be the Windows ME for Vistas win98. Full with even more gadgets and relatively useless stuff you wont even use.

  34. Anonymous says:

    @Daniel

    Thanks for sharing your thought.

    IE is going to be around as long as some sites are best viewed with IE (No kidding, the official websites of our government still displayed "best viewed with IE 5.5 or above").

    And some users have not full knowledge of How web worked. Instead, they blamed webmasters for designing a website not fully compatible with IE. Uh?

  35. Anonymous says:

    August 14th…………..

    RELEASE IE8!!!!!!!!!!!!!!!!!!!

  36. Anonymous says:

    It seems Ted has it out for me…

    I’ll cite:

    [Ted’s]

    "meaning that Protected Mode protected nothing in that case"

    Bad summary.  Correct meaning is that Microsoft doesn’t pretend that Protected Mode is a panacea.  Remote code execution, even with limited privileges, is considered critical.  The reality is that such exploits are significantly more dangerous in non-Protected Mode applications (e.g. every other browser).

    [/Ted’s]

    My summary is adequate: in _that_bug’s_case_, Protected mode didn’t mitigate memory corruption consequences and arbitrary code ran with current user’s rights. Since the rating is similar for WinXP and Vista, I’d say that UAC was also bypassed (UAC must consider that Jscript code running outside Protected mode is valid and doesn’t warrant user confirmation).

    Meaning that, _in_that_case_ of HTML object memory corruption, successful parsing and execution of the exploit led to running unauthorized code in user’s context: Protected mode was powerless in preventing what is basically a privilege escalation exploit. A Vista user account is still running in full Administrator mode, with active prevention made by UAC (but UAC seems bypassed in that case): it’s bad. Critical, even.

    Mitigation comes in 2 forms:

    – disable Jscript engine: the exploit code can’t run. You may want to forget about browsing with IE6 there, though, and IE7 will be incredibly crippled.

    – run the Javascript engine completely in user space, said user space having only limited rights: the engine has to have no link with system or kernel space outside of minimum APIs (like, GUI functions, keyboard and mouse I/O, and top-level TCP/IP): limited user accounts would be safe; too bad almost no app can run in that mode, eh? IE’s Jscript engine can’t, at least. Firefox’s and Opera’s can, though.

    Unaffected browsers are ones which had just undergone heavy DOM rewrites (IE5 DOM 1 vs. IE4’s DOM 0) or have a constantly improved DOM engine (IE6 and IE7 have the same DOM engine).

    It would thus stand to reason that if the IE team decided to finally have a look at that 8 years-old part of the code base (IE6’s DOM engine, unchanged in IE 7), to implement dynamic DOM 1 and DOM 2 for example, similar bugs would become apparent – and be fixed.

    A complete code rewrite doesn’t fix bugs, it replaces bitrotten code with buggy brand-new code. A code review and refactoring leads to improved functionalities and less bugs (see IE 7’s CSS engine and URL parser for 2 examples). That’s why, considering the relative success the IE team had with IE7, I wonder when a DOM code review will come.

    And no, Ted, not all browsers are tied to the OS they run on: nothing prevents you from writing a browser that uses its own low-level API to draw its interface, that takes ownership of I/Os and implements its own TCP/IP stack on its own network card driver.

    There is, however, a difference between a browser like IE which runs several of its components as core OS processes (UI elements, script engines, resources parser…) through closed, dedicated methods  and a browser that merely makes use of what the OS publicly provides all applications: devices input, screen output, and the public part of a TCP/IP stack, but implements its own parsers, script engines and interface elements.

    For example, for Opera and Firefox, the same code runs on Windows 2000, XP, 2003, Vista and 2008; there are different IE builds for each of these, and IE7/Vista won’t run on XP – and vice-versa, due to added or deprecated private methods. Moreover, an IE port to another OS than Windows can’t be done, due to the lack of basic Windows structures – while the same code base is used for Opera and Firefox on Windows, UNIX and mobile devices.

    As such, yes, IE is completely tied to Windows. Other browsers aren’t as much.

  37. Anonymous says:

    @I can’t see:

    That’s not the worst on the Web. Some people are still using Netscape 4…

    Happily, here in germany we got laws that enforce goverment websites to be more accessible. These are also partially taken into account in some commercial websites.

    Besides, Firefox got over a third of the market share cake, so not accepting these users is quite dangerous for a website owner.

    Older browsers only get the unstyled information.

  38. Anonymous says:

    I have some questions about the IE8 newsletter.

    The letter tried to explain the statuses in the Feedback site for IE8.

    What it STILL fails to answer, is the ORIGINAL question we all had.  Why are the statuses not clear, consistent, & used properly.

    "won’t fix", "by design", "postponed" are not 3 separate "mutually exclusive" statuses.  THIS is the problem.

    A Bug can be:

     "won’t fix" in IE8, & "postponed" – (e.g. to be fixed in IE9/?)

     "won’t fix", "by design" – (e.g. MSFT feels that a given behavior is not a bug, and has no intention of fixing)

     "by design", "postponed" – (e.g. We goofed in our design, however we do plan to fix this, in IE9/?)

    etc.

    Right now, those 3 final status are actually:

    1.) Won’t Fix – "won’t fix"

    2.) Won’t Fix – "by design"

    3.) Won’t Fix – "postponed"

    There has yet to be a "Fixed" status of any kind in this database.  The third status seems only for optics… because the other 2 appear definitive.

    I sincerely hope by the Beta 2 release date, that there is a Fixed status added, and that at least some of the bugs entered will now gain this status.

  39. Anonymous says:

    Mitch74… I don’t have anything "out" for you specifically, I just dislike anyone who lies to a public that doesn’t understand the issues.  In your case, it’s hard to tell if you’re deliberately misleading, or ignorant yourself.

    <<<Protected mode didn’t mitigate memory corruption consequences and arbitrary code ran with current user’s rights.>>>

    This is incorrect, and I don’t knonw what led you to that conclusion.  Go read the cve.

    <<<Since the rating is similar for WinXP and Vista, I’d say that UAC was also bypassed>>>

    Again, you’re completely incorrect.  

    Microsoft rightly classified the bulletin as critical because arbitrary code, even at low, is a very bad thing.

    <<< run the Javascript engine completely in user space, said user space having only limited rights: the engine has to have no link with system or kernel space outside of minimum APIs (like, GUI functions, keyboard and mouse I/O, and top-level TCP/IP): limited user accounts would be safe; too bad almost no app can run in that mode, eh? IE’s Jscript engine can’t, at least. Firefox’s and Opera’s can, though.>>>

    Why do you continue to demonstrate that you know nothing about how operating system security operates, after others have corrected you before??  The Javascript engine doesn’t run with SYSTEM rights, it doesn’t even run with the USER’s rights, it runs with LOW rights.  

    <<<(IE6 and IE7 have the same DOM engine).>>>

    Wrong.

    <<<And no, Ted, not all browsers are tied to the OS they run on>>>

    Every browser with >0.5% marketshare is tied to the OS.

    <<<nothing prevents you from writing a browser that uses its own low-level API to draw its interface, that takes ownership…>>>

    On the contrary, every modern Operating System prevents exactly that.

    <<<There is, however, a difference between a browser like IE which runs several of its components as core OS processes (UI elements, script engines, resources parser…)>>>

    I don’t think you understand what a "process" is.

    <<<<while the same code base is used for Opera and Firefox on Windows, UNIX and mobile devices.>>>>

    I say again, go try to run Mac Safari on Windows, or Windows Opera on Mac, then come back with your tail between your legs.

  40. Anonymous says:

    Runing Mac Safari on Windows… yeah, that ain’t gonna work, sure…

    But Firefox is not FUNDAMENTALLY tied to Windows.  I can UNINSTALL it for one.

    Using IE, I can open a page that will hose my PC, or at very least give me access to run arbitrary code.

    Using Firefox (at least me personally with code I can find on the net), I can’t hose my system.  I can crash my browser, hang it, but that’s about it.

    That all aside, please indicate your stand in the browser market.

    Are you working on/with Microsoft? – your comments all seem to indicate such.

    Do you develop web content for IE only? – your stance on open standards doesn’t seem very open.

    I love the Web… Applications and sites written for it, and on it.  I love Browsers.  I love IE the least (sorry, but that’s reality. It fails at the most basic things I do dozens of times every day in a browser, thus goes straight to the bottom of the heap (Netscape is above IE on my heap btw))

    So, I admit. not an IE fan.  However what is your stand? you’re obviously very pro-IE.

    thanks

  41. Anonymous says:

    @not a Ted fan:

    I don’t think it makes sense to interfere with two peoples discussion.

    Anyway, I’m also a truth-loving person.

    It is possible with Firefox (and SafariWin and Opera) to gain access over the usery system. However the "what" is no good indicator of how safe a browser is. Neither is the number of security flaws in an application, btw.

    Another point: I wonder if it’s right to prefer Netscape over IE.

    Think back: Netscape 4 initially implemented the box model bug. And CSS in NS4 was implemented on top of JavaScript. Yes, out of Netscape’s ashes came Gecko and the Firefox. That’s great, but NS4 is nothing t o prefer over IE.

    Think back: IE 5 was the first browser to actually implement the DOM. Besides IE’s CSS support has always been superior to Netscape’s in the old era.

  42. Anonymous says:

    notafan… i’m not pro-IE, i’m anti-ignorance.

  43. Anonymous says:

    Windows XP and Windows Vista Operating Systems The Windows Vista blog is reporting that Microsoft is

  44. Anonymous says:

    http://blogs.zdnet.com/security/?p=1708

    "Internet Explorer –  Remember the Safari-to-IE blended threat from April?  This vulnerability was reported to Microsoft since 2006 and, despite issuing an advisory that embarrassed Apple into shipping a Safari fix, Internet Explorer users are still exposed. Now, I’m hearing murmurings that this issue probably won’t be fixed until Windows 7.  Boo!"

    "Ghosts in Browsers — It’s been more than three months since Manuel Cabellero (now a Microsoft employee) went to Blue Hat and gave the scary ghosts-in-the-browser talk.   Nate McFeters saw the carnage first hand and confirms that it affects “all browsers.”  Since then, Sirdarckcat published details on IE browser flaws that entends to both IE 7 and IE 8 beta.   Worse, they’re all still unpatched."

    "Print Table of Links (IE) – Aviv Raff’s discovery of a cross-zone issue affecting IE 7 and IE 8 beta is publicly known but, despite the availability of proof-of-concept code, there’s no fix yet from Microsoft."

    Only MS will leave their broken browser so unpatched and vulnerable for months and ever years.

  45. Anonymous says:

    Scary…It seems you have to be a computer technician to understand IE 7.  And I was hopeful it would simplify and improve my use of my "home" computer system.  Time will tell if I can even use it all accordidng to the above comments.  Maybe newer is not better.  It sure looks far more complicated that I can handle!!!  You should warn us unenlightened (home users) BEFORE we make the mistake of upgrading.  

  46. Anonymous says:

    Barbara– Using IE7 is easy.  Having absurd arguments about IE with other folks who are also eager to participate in such silliness also doesn’t really require much knowledge… just make it up and throw it out there, like some of these jokers.

  47. Anonymous says:

    @Ted:

    I can run Firefox/Win on Linux, using Wine and no extra download. Doing the same with IE requires:

    – IE6 for Win98 (Win2k version can start, but won’t work well as it doesn’t update the OS for missing API calls, and must be installed with a bunch of other DLL overrides)

    – Windows script + Jscript 5.6 update

    – MS core fonts package (it will wobble and finally crash if it can’t find them)

    – DCOM98

    – several Wine registry tweaks

    – a few other dependencies I won’t enumerate here.

    And even then, it doesn’t work fully: ActiveX support is shaky at best, security zones are disabled, printing goes boom, favorites crash more often than not…

    About running a browser from an OS to another:

    I can run the Linux versions of Firefox and Opera under FreeBSD, without a compatibility layer. Oh, yes: Safari/win32 can run under Linux too.

    I will mention in passing that, considering Firefox requirements, you can run it on a Linux-based OS that:

    – has either Xfree86 4.0 to 4.4, or Xorg 6.8 to 7.4;

    – glibc 2.3, 2.4, 2.5, 2.6 or 2.7

    – linux kernel 2.2, 2.4, 2.6 (I won’t mention the 200 minor releases those cumulate, and won’t count previous ‘testin’ branches)

    The total which covers a few dozens OS releases (I don’t think there ever was an OS delivering kernel 2.2 and glibc 2.4 with Xorg 7.4, for example).

    See? A different OS with a different kernel, a different structure can run an unmodified binary from another OS version, sometimes a completely different OS altogether, in some cases without even a compatibility layer (Linux/FreeBSD); on the other hand, IE needs to be tailored for the exact build of Windows it runs on:

    – IE 7 requires XP SP2; the build may run under SP3 too, but some bugs are left unfixed

    – IE 7 for W2k3 isn’t the same package, although it’s still a 32-bit OS with pretty much the same APIs XP sp2 includes

    – IE 7/Vista offers different features than its ‘siblings’.

    Now, Firefox2/win32 can run on:

    – Win98/Me/2000/XP/2003/Vista;

    – with a compatibility layer, Linux, FreeBSD and Mac OS X;

    Opera can run on the same systems.

    Safari doesn’t run on Win9x systems, but otherwise covers the same range.

    All those browsers have native ports, from the same code base, on Windows (at least NT5+); in the case of Safari, while there is no official Linux port, Webkit is being integrated in several browsers to replace its original ‘source’, KHTML.

    An IE build can run on one (1), at best 2 Windows revisions (if you consider XP sp2 and sp3 to be different OSes – personally, I think sp3 is sp2+bugfixes). It needs recompiling to even work on these, and if history is any indication, any other platform to support requires a full rewrite (IE4/Unix, IE5/MacOS).

    If, with all this, you can still tell me that IE is no more glued to its OS than other browsers are, I would venture the guess that you’re in denial. Let’s consider other attemps:

    – IE 6 can’t run under Vista: none of its versions can, as a matter of fact, due to deprecated and removed private methods in Vista

    – IE 7 can’t run on Win2000, due to missing private methods

    – IE, any version, will work only in a crippled fashion and only if provided with a bunch of DLLs run in local from their respective originating OS and some very clever registry hackery.

    Source: MultipleIEs project.

    Now please, what did I miss? What did I ‘ignore’?

  48. Anonymous says:

    Mitch– uh, so your point is that Wine is not very good at what it’s supposed to do?  You should take that up with the Wine team, rather than implying that this has anything to do with the browser itself.

    <<IE 6 can’t run under Vista: none of its versions can, as a matter of fact, due to deprecated and removed private methods in Vista>>

    Wrong.  IE6 doesn’t run under Vista because Microsoft doesn’t want it to.

    << IE 7 can’t run on Win2000, due to missing private methods>>

    Sure, but that simply indicates that the browser takes better advantage of OS improvements, and Microsoft didn’t care to have IE7 run on Win2k, since Win2k was out of regular support when IE7 shipped.

    <<what did I miss? What did I ‘ignore’?>>

    You’re ignoring the fact that everything you’ve said so far is either incorrect, or irrelevant.  Nothing you’ve stated has any security implications whatsoever.

  49. Anonymous says:

    When I was referring to Netscape, I meant versions 7,8,9 not the 4.x era.

    My basic point is that you find fans of (Opera/Safari/Firefox) that light up like a kid in a candy store when you ask them about their favorite browser.

    I have yet to physically meet ANYONE, that "loves" IE. Anywhere.  And I’m counting back over the last 10 years I’ve worked on, and used the Web.

    You say that you are just anti-ignorance, rather than pro-IE.

    Any chance you can point out your pro-any-other-browser on this blog? Anywhere where you state, "yeah, I must admit, the bookmarks in Firefox are far superior to IEs"… you know, that kind of truth?

  50. Anonymous says:

    @Ted: I gave sources. I verified these sources. I exposed my findings.

    To answer your comment:

    – the MultiplIEs project tried to run IE6 DLLs and subsystems under Vista. The result is that core OS parts don’t include some functions that existed previously. There is no "IE6 detects Vista or Vista detects IE6" mechanism that your "MS doesn’t want it to" answer implies; existing IE6 binaries (win98, 2k, XPsp1, XPsp2) rely on a deprecated function, thus they can’t start under Vista; 2k IE5/5.5/6 binaries for example can run under XPsp1, sp2 and sp3. If you mean that the IE team didn’t port IE6’s codebase to Vista, then you’re shifting the argument from "native binary" to "source code" portability – in which case IE loses badly to all other mainstream browsers.

    – the Wine team implemented public win32 functions required to run applications, on top of a PE-to-ELF wrapper; in fact, you could see Wine as ‘the really public part’ of the Windows API,as it is backed up by MS published documentation. Applications that don’t work with Wine very often rely on specific win32 bugs or on private functions not meant to be exposed – the same stuff that cause MS developers headaches on new Windows versions (even new SPs).

    You say I’m wrong although I provided an explanation, a reasoning, examples, cited indepedent third party explanations, their sources and the way to see for yourself.

    I still rest my case, you still haven’t contributed anything meaningful to the debate.

  51. Anonymous says:

    Following debug symbols for IE7 on Windows 2003 SP2 are not available from the symbol store.

    urlmon,ieframe,iexplore,mshtml

  52. Anonymous says:

    Tester: That’s what you get for still using XP. 2003 with all latest patches and IE7 is more secure.

    http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=KB938127&DisplayLang=en

    As can be seen, no updates for XP SP3.

  53. Anonymous says:

    my automatic update worked fine. The newest version is installed. thanx

  54. Anonymous says:

    Joku: Windows 2003 Server is not a client OS and anyone using it illegally as a client OS is a pirate since there’s no way anyone will pay the amount required for the legal license of Windows 2003 Server, so please shut up. I hope Microsoft will sue you for pirating Windows 2003 Server.

    And if you didn’t notice, Terry McCoy [MSFT] already said Microsoft is gonna release a patch soon. Microsoft will support XP SP3 until 2014, far longer than 2003.

  55. Anonymous says:

    hi,

    great security update 😉

    will there ever be a secure browser?

  56. Anonymous says:

    No breaches do or indeed can exist for this running under Vista!

  57. Anonymous says:

    @steveballmer: no one escape the UAC inquisition!

  58. Anonymous says:

    One of our PC’s had the automatic update and now we can’t use IE. It keeps stating "Page cannot be displayed". Is there something I can do to fix it? For the time being we installed Firefox just to be able to access the Internet at all.

    Oh, that particular PC is running on Vista.

  59. Anonymous says:

    @Lisa: This might be a problem with a 3rd-party firewall.  Please see: http://www.enhanceie.com/ie/troubleshoot.asp#firewall

  60. Anonymous says:

    Thanks a ton! I will check that out when I get home. I can’t remember what firewall is on that PC at the moment.

  61. Anonymous says:

    I work on HTMLHelp help files. Around June, opening CHMs because extremely slow. The first launch of a CHM sometimes takes upwards of 25 seconds. This is the extreme, but consistently the first launch takes at least 10 minutes. As I mentioned, we started seeing this issue sometime in June, but it has only been elevated recently. Is there something added to the June 2008 security updates (the cumulative IE fix for example) that might have resulted in this significantly slower CHM opening? We’re seeing this issue company-wide, and the security updates are the only common variable I’ve found thus far.  Any help would be appreciated.

  62. Anonymous says:

    Sorry, on that previous post I said, "the first launch takes at least 10 minutes". That should have been "the first launch takes at least 10 SECONDS".  Thanks.

  63. Anonymous says:

    @Mitch 74

    Reread Ted’s post. You’re still wrong.