IE December Security Update Now Available


The IE Cumulative Security Update for December 2008 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses four remote code execution vulnerabilities. The security update addresses these vulnerabilities by modifying the way that Internet Explorer validates parameters, handles the error resulting in the exploitable condition, and handles extra data when embedding objects in Web pages.  For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated Moderate.  Beta versions of Internet Explorer are not vulnerable. 

IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Update 12/10 – Correcting the KB article number. 

Comments (39)

  1. Eight says:

    Where’s the patch for IE8 Beta 2? No patch again  like October?

  2. jesica says:

    Bug Report: IE8B2 addressbar gets rendered twice under the following condition.

    1.) Open floating favorites center panel

    2.) Lock it open (pin)

    3.) Unlock it

    4.) You now have 2 address bars

    Workaround is to resize the browser which forces a repaint.

  3. jesica says:

    I have a question or two about Web Slices too.

    I set up a few slices on some of my pages, where something that changes fairly regularly could be "scanned".

    Setup was easy (kudos!), and I could "subscribe" to the slice very easily.

    What I found after is what confused me.

    So what I was thinking was happening behind the scenes, is that IE would store some list of slices to check, and periodically check them.  But it looks like IE stores them as full RSS feeds of the entire page (not just the slice)… as I discovered in the favorites panel (when I found the above bug).

    So, ok, the implementation is done through RSS. I can live with that, but why do the slices polute my RSS feeds?

    The next issue, is how does the slice "know" that it is updated? does it check only the "diff" between the original slice of code, and the current slice? or is it the whole page?  The reason I ask, is that my slice content didn’t change, but the surrounding page content did, and now the slice indicates to me that changes have occurred when in fact they haven’t.

    The tooltip on my bookmark for the web slice is a bit misleading too.  It says if I click the button, it will refresh, or I can choose Open?  Clicking the button actually Opens the page and I have to right-click on the bookmark and choose "refresh" to get a refresh.

    Finally, if I make changes to the content of my slice, when IE polls the changes, I don’t seem to see that there has been an update.  Does IE only check certain content within the slice? (I realize this sounds like a contractiction with the page comment above, but it seems to be broken in both cases AFAICT)

    Ok, one more question… if my slices’ title was:

    "This is a test slice!"

    and when it is polled the next time, the title is: (same id though)

    "This has been modified!"

    Should I get the new title? or is the original title locked down for the life of the slice?

    e.g. if I was eBay, I’d likely want my title to be:

    "Garden Gnome – Last Bid:$23.75"

    Which would obviously change over time.

    thanks

  4. Donny V says:

    Look at at these performance charts.

    http://news.cnet.com/8301-1001_3-10119149-92.html?part=rss&subj=news&tag=2547-1_3-0-5

    Chrome is now almost 5 TIMES FASTER than IE 8 with javascript.

    Again how did a company thats never built a browser smoke you guys.

    Sorry dudes….you lost me to Chrome.

  5. Dan says:

    Donny, browsers spend relatively little time executing Javascript, as described on this blog and in various other places.  Most time is spent downloading, laying out content and so forth.  

    So, sure, you can super-optimize a tiny part of the system, but that’s the wrong way to do it.  The right way to do it is what the IE team say they’re doing: profiling what’s slow, and investing in fixing that.

    The current focus on Javascript is sorta like saying "We’re going to make cross-country travel quicker by making airplanes taxi to the runway faster."  Sure, that will sorta work, but it’s a much better idea to either make the planes fly faster, or find a way to optimize so the user need not spend so much time waiting in the airport.

  6. Gerald says:

    @Dan – that is correct, profiling will tell you where the biggest pain points are, and in return where the best places to start optimizing are.

    However no matter how you slice it, it individual component is taking up some time whether it is the HTTP traffic, the DOM parse/building, or the JavaScript manipulation.

    The nice thing with testing just the JavaScript is that it lets you see (compared to other browsers) how certain features perform – and in this case, the JavaScript in Gecko or WebKit based browsers obviously far out-performs Trident’s JScript implementation.

    For my sites, I add a start/finish timer to each page based on when the initial request went in, and when the requested page finishes rendering.  Comparing each browsers time diff (with and without a full cache) (Chrome, Firefox, Safari, Opera, & IE) indicates that one browser consistently crosses the finish line last.

    I’d state which one but that would spoil the surprise.

  7. gabe says:

    @ Eight

    the good news is that beta ie versions are not effected

  8. anabel says:

    what would be the new features of this update?

  9. lenen geld says:

    @anabel

    Yeah, I would like to know to!

  10. Brian LePore says:

    Just out of curiosity, how much longer does IE5 have in extended support? End of the year? 2010?

    Better yet, how much longer for IE6? :-p

  11. No cumulative ActiveX "Killbit" update this time?

    May have been a wise idea to release one setting the Kill Bit for the VB controls mentioned in MS08-070 if you’ld ask me. To protect the client machines and not only those of the developers.

    Bye,

    Freudi

  12. @Brian LePore

    IE5.01 SP4 will be supported as long Windows 2000 SP4. The same applies for every IE version included in any Windows version.

  13. @IE team

    >Microsoft Knowledge Base Article 9582158

    The article id 958215 does not match the number given in the link text 9582158.

    Second, I cannot find a list of the non-security GDR fixes this time in the KB 958215.

    Are there no other fixes included in the update or have they been intentionally omitted?

    Please highlight more obviously which non-security bugs you fix. Currently, many users believe you are only fixing security-related issues.

  14. Mike says:

    @Dan

    Agree in part with your defence of IE poor Javascript performance. But the fact is that the new speed race taking place between Gecko or WebKit will eventually lead to all kinds of new web applications. Together with Canvas and SVG it will be possible to do things that previously could only be done using flash.

    IE is getting seriously left behind in ignoring the speed race and failure to replace VML with modern approved standards.

  15. anonymous says:

    Alas! If only MS still rethinks about IE8 on Windows 2000. Why bother at all providing security updates for IE5.01 and IE6 if they’re dangerous at the core, there’s no prompting before signed ActiveX controls get installed etc etc.

    Stop supporting IE5, IE6 and make IE8 available for Windows 2000. IE5/6 is not usable on these machines.

  16. ArjanO says:

    @Gerard

    That why does etst why you only test a small part.. like the javascript test are so useless.. why not getting the whole picture..

    get the top 100 sites per region, country whatever.. and test THEM..

    As an end user, i don’t care whether some part is slower.. it’s all about the END RESULT..

    So i rather have the IE team to speed up the things the can be easily adjusted and within their given timeframe will give the best result speedwise..

  17. stan says:

    @ArjanO – that is correct, the end result matters.  However JavaScript is a big part of that (regardless what MSFT says).  More importantly Firefox uses JavaScript within their addon architecture etc. so having a fast JavaScript engine means their addons run faster too.

    Just open up a Firefox 3 browser and an IE8 browser with say 6 plugins installed in each.

    Open a new tab in each browser and check how long it takes.

    Firefox – Instantaneous

    IE8 – wait, wait, wait, almost, wait, done

    It is this kind of end user experience that since the days of IE6 has gone horribly downhill in IE.  I realize that some badly written addons are mostly to blame, but many of those "badly written" addons are written and installed by MSFT. (cough *Research*)

    I find opening a tab in IE so bad, that it ruins the whole experience for me to even use IE.  Within 10 minutes I’ve given up and gone back to Firefox.

  18. EricLaw [MSFT] says:

    @anonymous: While there’s no question that IE8 is more secure than IE7, and IE7 is more secure than IE6, and IE6 is more secure than IE5, neither IE5 nor IE6 will allow ActiveX controls (signed or not) to install from the Internet zone in the default configuration.

    IE8 supports the same platforms as IE7: Windows XP SP2 and later.

    @Stan: As you’ve observed in your "new tab" case, performance is about a lot more than Javascript.  And as you point out, the performance problems with add-ons are pretty easy to fix: Simply disable the ones you don’t want.

  19. Flüge says:

    Isn’t it offered automatically via the security center?

  20. Terry McCoy [MSFT] says:

    @Viktor Krammer

    Internet Explorer did not release any non-security GDRs in 958215.

  21. billybob says:

    If javascript is not so important then maybe someone can point to a test where IE excels over the other browsers?  Rendering?  Running native code?

    Where are the main priorities for the IE team?

  22. @Terry McCoy [MSFT]

    Thanks for the clarification.

  23. Zero Day says:

    http://isc.sans.org/diary.html?storyid=5458

    http://voices.washingtonpost.com/securityfix/2008/12/exploit_for_unpatched_internet.html?nav=rss_blog

    "SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox"

    "According to SANS, the exploit works against fully-patched Windows XP and Windows 2003 systems with Internet Explorer 7."

  24. cluster says:

    Put Linux+Mozilla Firefox  in a Virtual Machine

    and forget 99% of the Security problems !!

  25. Dan says:

    Put IE (any version) in a Virtual Machine and forget 99% of the security problems.  Etc.  The reality is that existing real-world malware doesn’t bother to try to break out of VMs.

  26. Donny V says:

    If you want a rendering performance test. Try opening gmail in all major browswers. Big shocker who’s last speed wise.

  27. Eugene R says:

    I installed it and my IE7 stopped working.  Symptoms: can not access any web page, says unavailable, check spelling etc.

  28. Eugene R says:

    Thanks a lot.  

    I use Windows Firewall,AVG Antivirus free, Spybot S&D (but no tea timer).  Which one do you think is the "suspect"?

  29. @Eugene

    AVG and/or Spybot S&D. In case you have had a Personal Firewall installed but don’t have it running in the background, *uninstall* that one, uninstall KB958215 temporarily and let install KB958215 install once again after rebooting the machine.

  30. Security says:

    http://www.informationweek.com/blog/main/archives/2008/12/microsoft_pleas.html

    "Microsoft, Please Remove This Junk"

    "This new threat has something else in common with that older WMF exploit in that it supports a Microsoft-specific feature that is largely obsolete: DHTML data binding. When this feature was introduced with Internet Explorer 4.0 in 1997, it was an innovative way for a web page designer to selectively load just part of a page.

    DHTML data binding never spread to other browsers. Instead, the Internet world warmed to AJAX and DOM operations to build dynamic web pages. That left Internet Explorer with yet another unhealthy feature. Few people use it, but since it’s there it offers an attack surface for the bad guys. Even the IE8 beta is susceptible to this exploit–proving I guess that it’s fully compatible with IE6 and IE7.

    The IE8 team has been doing some great work to bring Internet Explorer up to par as far as features and performance go. This latest security problem is a reminder that there are still plenty of dark code corners in Internet Explorer that, although rarely visited, can be extremely dangerous. Before IE8 ships, Microsoft should go through and remove or disable as many of these as possible."

  31. Patch says:

    http://www.microsoft.com/technet/security/bulletin/MS08-078.mspx

    Patches released for IE5-7 critical security vulnerability. PATCH NOW.

    I can’t find the links to download IE8 Beta 2 or Partner Build patches though.

  32. Allan Hallin Pedersen says:

    I do repairs for privates and I now have 3 PCs where the patch KB958215 causes that IE does not to work.

    When pinging various internet server, I do receive replies and E-mail works fine, PCs do get a valid IP.  Only thing is that IE comes up with a error message saying page cannot be found.

    If I remove/uninstall KB958215 it’s working again. The only common denominator is IE7. OS varies from XP and Vista.

    Any suggestions?

  33. EricLaw [MSFT] says:

    @Allan: What Firewall do you have installed?  http://www.enhanceie.com/ie/troubleshoot.asp#firewall

  34. RJ says:

    I had the virus infect Firefox too. Am not able to access any "non-spam" site through it. Are others experiencing this too?

  35. Ollie says:

    Windows update is letting me load the recent security updates:

         Security Update for Internet Explorer 6 for Windows XP (960714)

    Cumulative Security Update for Internet Explorer 6 for Windows XP (KB958215)

    It just says the following updates could not be installed. Is there anyway to download them?              

  36. Hallin says:

    @EricLaw: It varies, 1 with F-Secure, 2 with Norton and today I had a new one not having FW, but running McAfee 8.5 and IE6 on XP.

  37. Geld Lenen says:

    It’s good that this is made public through this blog. Thumbs up!