IE December Out-of-Band release


Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses one remote code execution vulnerability. The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.  For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all released versions of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments (73)

  1. Patch says:

    Where is the patch for IE8 Beta 2 and IE8 Partner Build 18343 Pre-RC1? I’ve search through the Security Bulletin article and the KB article and not even 1 link to this supposedly available  patch for IE8.

  2. Michael Madsen says:

    @Patch: I was able to download the B2 patch (Security Update for Internet Explorer 8 Beta 2 for Windows Vista (KB960714))from Windows Update one hour ago (the patch was released 2 hours ago, as far as I’m aware). I can’t say for any Pre-RC versions.

  3. Could some brave soul let Mike Reavey know that – at the last count – there was still more than a single [MS] security partner.  Or maybe I got that wrong?  "over 24 different security partner’s products".  

  4. Terry McCoy [MSFT] says:

    @Patch

    For IE8 Beta 2, the Downloads are still going live right now.  They will be avaiable today.

    For those participating in the IE8 Technical Beta Program, a new Partner build is available that addresses this issue.  

  5. Terry McCoy [MSFT] says:

    @Martin Harvey

    Mike is correcting the post now.

  6. Terry – that was quick and impressive.  These comments ARE acted on!  [Hope the messenger wasn’t shot – I know what you NRA-types are like on your side of the big pond :)   ]

  7. alamfour says:

    does this also apply to IE Mobile on Windows Mobile 6.1?

  8. Terry McCoy [MSFT] says:

    @alamfour

    You should contact your mobile phone provider to see if there is an update available.  

  9. XTC says:

    What is the build number for the fixed Partner Build release thats no longer vulnerable?

  10. Ian says:

    When will it be released through WSUS?

  11. Robear Dyer, MS MVP says:

    MS08-078 for IE8 Beta 2 is also available via the Microsoft Update Catalog: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=kb960714

  12. drd says:

    Should IE8b2 patch be up for Vista 64 bit with SP2 beta? Or is SP2 beta+IE8b2 not affected?

  13. Glen Fingerholz says:

    IE Beta 2 has a much faster starting time on my machine than it used to. Was this just a security update or did something else additionally get changed?

    It was literally taking longer than Firefox 3 (with 15 add-ons installed). As it would sit there for up to 10 seconds before the UI became responsive.

  14. ABE says:

    THIS SUCKS! I updated and now NOTHING on my computer will open up without a pop-up that says (encountered a problem (said program) needs to close

  15. Toni Albrecht says:

    I applied the update and when I tried to do ANYTHING on the internet the window just froze and nothing loaded.  I had to go through system restore to get the internet back.  What Gives!!

  16. Jan Dzikowski says:

    No update for IE8 Beta 2 in Vista SP2 Beta?

  17. Glen says:

    I agree with Jan Dzikowski… Terry – where is the patch for IE8b2 on Vista SP2 machines?????

    The IE8b2 for Vista patch says it "does not apply"

  18. erictee says:

    Dear IE team, my feeds still not showing its favicon even I have te latest build of IE8 Partner Build!

    image:http://img67.imageshack.us/img67/9828/46993780fu5.jpg

  19. Pre 2000 OS says:

    What of us old school system users before the 2000/XP/Vista Generation? I use IExplorer 6 Sp1 and find no applicable update to protect my system from the exploit.

    My machine is already compromised and I’m finding no resources to correct the intruders ability to control my pc other than my Nortons web security firewall, with no gaurenteed certainty.

  20. 18344 says:

    The new IE8 Partner build is 8.0.6001.18344. It contains the fix to this critical security bug. The previous build 8.0.6001.18343 is vulnerable.

    Pre 2000 OS, you’re out of luck, MS stopped supporting and releasing updates for Win9x 2 years ago. Switch to another browser.

  21. Mike Dimmick says:

    @Toni Albrecht: likely you have an incompatible extension. Go to Start, Accessories, System Tools, Internet Explorer (No Add-Ons). If it works, go to Manage Add-Ons and disable everything. Now enable them one at a time and see what breaks it. If you’re very unlucky it may be a combination of add-ons.

    Adobe Flash, QuickTime, Sun Java and Adobe Reader are security bugfests. You MUST keep them up to date, in any case, or uninstall them. I would also strongly recommend uninstalling all toolbars: Google, Windows Live, MSN, Yahoo; the IE7 search box is adequate.

    I also disable three of Sun’s Browser Helper Objects: anything called ‘SSV’ and also one that recently appeared, ‘JQSIEStartDetectorImpl’. Recent versions of Java also install a ‘Java Quick Starter’ service which is pointless and counterproductive (Windows will swap out the ‘preloaded’ files under memory pressure anyway). I’ve disabled that, too.

  22. Mike Dimmick says:

    @ABE: I had something similar recently. It usually means something else trashed a system file (in my case, it appeared to be a Java update). Typically they shipped a Windows DLL with their install package which isn’t meant to be redistributed, and it was the wrong version. This may not have been incompatible with earlier versions of IE, but now is: it simply isn’t possible to test with all combinations of libraries.

    Best approach – if you can get it to do it – is to run "sfc /scannow" to check and repair system files, assuming you’re on Windows XP or earlier. Windows Vista has a different approach to protecting system files that shouldn’t even allow it to happen, but sadly idiots are inventive and I’ve seen them asking how to do it on developer forums.

    If even sfc won’t start – possible – then you’ll probably need to do a repair install of Windows.

    Remember that all Microsoft security updates have FREE SUPPORT. Go to support.microsoft.com and ask for it.

  23. Szymon Nowak says:

    IE8 RC1 – Open in new tab – not work – Ony Connecting … and freez .

    Owa 2003 ( Exchange 2003 SP2 with all updates ) – not work

    Tested on Vista SP1 / SP2 beta and IE8 RC1

  24. ANT says:

    "Open in new tab" is, as Szymon said, not working anymore in the very last build 18344 (it was working on 18343).

    Either Ctrl + click or right click > open in new tab, nothing happens after a new tab is created, it remains blank. It makes this IE8 build almost unusable :-/

  25. Pre 2000 OS says:

    @18344 – I run ME. Likewise, MS stopped support recent as August. Can’t run FF. Recommendations on alternative Browser?

  26. Dave says:

    Pre2kOS, Windows ME isn’t safe… period.  There’s nothing that you can install that will make it safe, short of a newer operating system which was designed with security in mind.  Sorry for the bad news, but anyone that tells you otherwise is a fool or trying to sell something.

  27. Pre 2000 OS says:

    @Dave – Is there a way to transfer my Emachine XP OS to a non Emachine? I couldn’t get the Emachine to set up a second HDD I installed in it.

  28. Terry McCoy [MSFT] says:

    IE has updated KB 960714 to include the supported patches for Microsoft Beta Products with direct links to the packages.  

  29. Bob says:

    Sorry to possibly ask a question already asked…but what about the IE 8 RC1 that was just released about a week ago? I ran Windows Updates on my Vista lastnight and it picked up the patch.  So, am I OK now? Or am I reading there is a new IE8 RC1 out already from last week again?

    I hope I’m making sense.

    Regards,

    Bob

  30. Terry McCoy [MSFT] says:

    @Jan Dzikowski

    @Glen

    Security is the priority here.  If you are running Vista SP2 Beta with IE 8 Beta 2,  I suggest you uninstall one of the two beta products to get a patch that will make you secure.  Vista SP2 Beta was not a released product when IE 8 Beta 2 shipped.  Technical issues prevented us from building a patch for this particular scenario.  

  31. arggg says:

    Ok, so I updated my XP SP3 – IE8 PR1 build to IE8 PR1-Build 8.0.6001.18344 today (with the whole uninstall, reboot drama)

    Now, I load up IE8… and discover this bug (I’m not sure if it existed in the previous IE8 build)

    1.) Open a brand new tab.

    2.) Click on a Bookmark (Favorite) on your Links toolbar, *That is IN a folder*, that opens a page with a login form (e.g. Gmail), that AUTOMATICALLY places focus in the first field (e.g. username)

    Opening the page ANY other way works, but in IE8 if you open the page from a nested link in your bookmarks IE gives the LOCATION Bar focus() AND select() and the form on the page gets NO focus.

    Essentially this makes bookmarks a step backward in usability. :-(

    thanks

  32. EricLaw [MSFT] says:

    Fixing typo.

    @Bob: Please keep in mind: IE8’s RC build will be released in the first quarter of next year.  I suspect that you’re referring to the "IE Partner Build" which you downloaded from Connect as a member of the tech beta.  This build is not patched by WindowsUpdate.

    The Partner build should be uninstalled (v18343) and the new partner build (v18344) should be installed from Connect.

    @Ant: We’re not able to reproduce the issue you’ve reported.  Does this problem reproduce in no-addons mode?  www.enhanceie.com/ie/troubleshoot.asp#crash

  33. Bob says:

    Eric,

    Thank you for the quick reply.

    Yes, the Partner Bulid is what I refer too. I will get the new IE Partner Build V18344.

    Odd then why did Windows Updates on Vista grab the IE patch yesterday for me with me runningn the v18343 Partner Build?

    Regards,

    Bob

  34. drd says:

    > IE has updated KB 960714 to include the supported patches for Microsoft Beta Products with direct links to the packages.  

    I see there’s package for Windows 7 but not Vista x64 >>SP2 beta<< and the non-beta one doesn’t install.

  35. EricLaw [MSFT] says:

    @drd: http://support.microsoft.com/kb/960714 has links to the update for IE7 on Windows Vista SP2 Beta.  

    For IE8 on Windows Vista SP2 beta, please refer to Terry McCoy’s comment above.

  36. Mikey says:

    Question:

    Why within IE6 and IE7 (haven’t tried IE8 because I don’t want to create another Virtual Image for it) if you are submitting a form with 1 input for text and 1 input for a submit button? It will only post the 1 input value and not the submit value.

    Yet, if you have 2 visible input text and 1 input for submit. You will post both input text boxes and the submit.

    Firefox and all the other browsers will POST the submit value when there is only 1 input text within the form.

    Thanks for making me waste an hour to find that out.

  37. Mikey says:

    Oh, I forgot to add that this is only when you hit the enter key from the input text and not by mouse clicking the submit.

  38. Glen Fingerholz says:

    @Terry McCoy

    There is more than one Glen here. I also asked a question 😛 (and I didn’t have any add-ons installed for IE – so I don’t think a bad add-on was to blame).

    @Mikey

    Oh the joys of writing HTML for IE. The character set sent to the client can affect font behavior for INPUT controls. MSIE 8 will support defineGetter/defineSetter, but only for DOM elements (which is the exact OPPOSITE of what Firefox did with 2.0). Gotta love the ugly stretched buttons, and stupid pop-up behavior (open document in new window, IE blocks download, and closes window without showing the bar at the top – which can be worked around but is still annoying that I had to waste time working around it) too.

    At least it doesn’t have the bizarre issue Firefox 3 seems to have with it’s pop-up blocker where it all the sudden breaks and starts blocking ALL pop-ups when it’s OFF (only fix seems to be restarting the browser).

  39. Martin G. says:

    Although not strictly related to the post I wondered, when new VPC images for IE6/7/8 will be available. All three of them expire on 25th of December.

  40. steve says:

    @Glen Fingerholz: re: "bizarre issue Firefox 3 seems to have" – must be quite bizarre because this is the first time I’ve heard about it and Firefox 3 has been out for like 6 months!

    As for the stretched buttons in IE, man am I ever glad they fixed that – it looked/looks horrible!

  41. Mets says:

    Hi this is the first time i am writing on a blog. I have vista IE and it is keep stop working. I have tried everything but noting seem to work. Can anyone give me some advice to what to do? Thank you

    Mets

  42. EricLaw [MSFT] says:

    @Mets: Buggy addons are the number one source of crashes.  Please see http://www.enhanceie.com/ie/troubleshoot.asp#crash for info on troubleshooting.

  43. Arieta says:

    I have a little problem with the Beta 2 connect build (18343)… When I use middle click for the sensitive scrolling, if I push the mouse too far, it will automatically jump to the beginning/end of a page. The previous beta 2 (and all other IE versions) just scrolled really really fast, which is what I would prefer. The margin for the auto-jump-to-top/bottom is also very low, so I often do it accidentally, which can be confusing when reading a longer page.

    Is this a bug, or intentional? If it’s intentional, is there a way to revert to the older way it was handled?

  44. Glen says:

    Thanks Terry and Eric.  Greatly appreciate your response in regards to IE8b2 on Vista SP2.

    It would have been good if the KB article actually stated this outright 😉

    Cheers, Glen

  45. Bob Fallona says:

    I love the new IE 8, but one feature I find missing and love in other browsers is multiple rows for tabs. The new commands for the tabs are a step in the right direction and it is much faster than Beta 1

  46. culinary says:

    The IE8b2 for Vista patch says it "does not apply"

  47. graffic says:

    It was the most compatible thing Microsoft has done for IE. It worked in IE 5,6,7 and 8!

  48. hAl says:

    I guess the Washington snow will probably hinder Microsoft employees somewhat ?

  49. Alan Adı says:

    nothing changed really. i ask myself when it will have the ability to handle plugins like FF

  50. Mitch 74 says:

    I’m spamming: same was posted in the previous "CSS corner" IE blog post. Still, I’ve spell-checked and expanded this one.

    Having downloaded the Partners Build (I’m not part of the program), I’m happy – and not.

    Happy:

    – the "onDOMmodified" scrolling bug (all scrollings are reset to 0 on DOM modification, including CSS changes on pseudo-elements like :hover) is gone. Yay!

    – the problem of disappearing generated content when there’s a lot of it on a page seems gone. Yay²!

    – negative margins and text indents on generated content (that one was mine, better explained then reported by G. Talbot) not applied bug is gone. Yay cubed!

    BUT there is now a new problem that these bugs used to hide:

    – negative bottom margins are not properly applied on generated content when parent content is resized without being followed by a screen repaint

    Updated, simplified, one-file-does-all (using embedded base64 encoded image) test cases: http://moneyshop.perso.cegetel.net/moneyshop/testcases.html

    Please note: IE 8 is incredibly slow compared with other browsers that are installed in this virtual machine… Could it be caused by a bad relationship with the generic VESA driver?

  51. Mitch 74 says:

    …to add to my above comment, it seems that margins are wrongly removed/packed/collapsed in some cases. Try the third test case and watch the last paragraph’s placement: it jumps around when you refresh the screen.

  52. hAl says:

    @Alan Adı

    For IE plugins go to http://www.ieaddons.com/

  53. EricLaw [MSFT] says:

    @hAl: Actually, some are heroically driving to work through the snows, while others are able to work remotely through our VPN/RAS network — we use the Internet for more than just browsing. :-)

  54. hAl says:

    @Eric

    I did not think the IE team trusted the internet well enough to use it for accessing their work 😉

  55. Mikey says:

    @EricLaw [MSFT]

    Hi Eric, as my users are coming from all the wonderful browsers such as IE6, IE7, and IE8 (soon). I was wondering if your team will be able to compile a list of "features" that have been switched from IE7 to the new IE8 beta in a easy to search list. It will allow me and others to know what behaviors have been changed between IE7 and IE8 instead of having to transverse the blog (which doesn’t explain all the changes. e.g. Javascript, CSS, and HTML differences). Will we get a change log for IE8 soon, or if it has already been published, where can I find it?

  56. howard says:

    @Mikey – a change log? from Microsoft? for IE?

    ROFLOL!

    Oh man wouldn’t that be amazing! Like a complete list of all the changes so we know which things are now broken, which ones are fixed, and which ones were untouched.

    If you’ve followed this blog (and the comments on it (and in the IE chats)) since July 21, 2004

    http://blogs.msdn.com/ie/archive/2004/07/21/190687.aspx

    Lets see, that would be (carry the one) 4 and a 1/2 years ago… you’d know that there is a 0.0000000367% chance of a change log being announced.

    More importantly there likely won’t be one because it exposes everything that was actually broken.

    Most of the PR work for IE8 talks about "moving towards better interoperability" type stuff, not: we fixed over 2 dozen DOM method calls to actually do what they are supposed to according to the specs.

    Don’t get me wrong I think IE8 is full of progress for moving towards standards compliance however I have major doubts that there will ever be a change log.

    Moreso I fully expect that when IE8 RTM launches, it will launch as: "IE8 the most standards compliant browser" since they will likely be closest to a full CSS2.1 spec in terms of coverage… but this won’t cover the "yeah but" stuff, where CSS is great and all but we’d like to be able to set w3c event listeners, set .innerHTML without errors etc.

    As for right now, we still have to force IE7 rendering for our sites because they fall apart in IE8 in "standards" mode.

  57. ME says:

    http://www.me.com/ doesn’t work in IE8 Beta 2 or Pre-RC1 18344.

  58. Arieta says:

    Could someone please confirm if the middle click scroll bug I mentioned happens in build 18344, don’t want to reboot 3 times in case its not working, thanks.

  59. Paul Jones says:

    I’ve noticed some webpages don’t work in IE7 since the latest update. I think there’s a problem with certain javascript code. Seems to run fine in Chrome.

    Can you view http://www.ted.com for example? I get a "dojo is undefined" error.

    Have tried turning security settings down, etc.

  60. gabe says:

    paul i have same problem here http://www.ted.com give an error

  61. EricLaw [MSFT] says:

    @Paul/Gabe: Looking at the network traffic from Ted.com using Fiddler2, the URL: http://www.ted.com/js/dojo/dojo-3572873149.js is currently returning HTTP/404.

    This happens regardless of browser (and also occurs for the /css/safari.css file).

  62. Dan says:

    Peter, rather than posting a senseless rant like this, why not explain exactly what happens?  Did you try the "Reset IE to defaults" button on the Tools / Options / Advanced screen?

  63. Andrew Cameron says:

    Of course the security update is rated critical, it’s a Microsoft product.  That’s not to say all MS products are bad, they’re just incredibly sloppy.  The manager of this IE8 project needs to be sacked as they have already cost themselves in marketing and respect from the community.  A humiliating beta release and nothing on any professional level since.

    It’s not tricky, guys.  Just BUILD A GOOD PRODUCT and people will take it.  But you can’t, can you?  It’s eternally sad, so many resources but not a drop to write good code with.

    I’m sure there are fantastic programmers working on this project, but the person making the calls needs to be shown to the door because they are consistently destroying any credibility that IE8 had, before we’ve even seen an official release.

    ALL WE WANT IS A BROWSER THAT LETS US LOOK AT WEB SITES AND MOSTLY PLAYS WELL WITH OTHERS.

    PLEASE.

  64. fredd says:

    totally agree with Andrew. manager must dismiss

  65. Bob says:

    BUG Report:

    IE 8 ver 8344 does not remember my login id and pw for Twitter.com even if I check mark the box "remember me".

    Also, on Facebook, the online chat function does not work in this IE 8.  Also, other "friends’ cannot see me online on facebook.com

    Thanks,

    Bob

  66. @Mikey

    > submitting a form with 1 input for text and 1 input for a submit button (…) will only post the 1 input value and not the submit value.

    Mikey,

    I reported and filed a bug at connect IE beta feedback for you baesd on your excellent description. It must be said that such bug had been filed before (see bug 362726) and was closed (not reproducible) on august 27th 2008 and the original bug reporter did not reactivate the bug.

    connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=389736

    If you can visit bug 389736 webpage and vote for that bug, it would help…

    Bug entry:

    http://www.gtalbot.org/BrowserBugsSection/MSIE8Bugs/#bug204

    http://www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/#bug173

    Season’s greetings,

    Gérard

  67. .*. .* *MERRY*CHRISTMAS!*

    AND

    .*. .* *HAPPY*New*Year 2009*

  68. Roger says:

    IE8 Partner Release 1 has a bug when zooming text content it chops things off..

    See the 404 that was listed above..

    http://www.ted.com/js/dojo/dojo-3572873149.js

    when the 404 page comes up, zoom in 2, 3 or 4 times with [ctrl] + [+].

    The top/bottom of many lines of text gets chopped.

    (this happens on lots of sites, but this sample is the easiest to find/see.

  69. MedDoc says:

    It’s the first time, where i visit this Blog.

    I come from Germany and wish all the best for

             2 0 0 9 !

  70. GabrielH says:

    What about SVG support ? I read that IE8 will not support it ? But SVG is a standard and all the other browsers already support it !

  71. Dan says:

    GabrielH, if you look at the charts, no popular browser fully supports SVG.  Various addons are available for each browser to add SVG support. The SVG standards are EXTREMELY complicated and add a lot of redundant functionality.  They’re a good example of a poor standard.

  72. Eli Allen says:

    Since this out of band update IE7 has been taking up way more memory then usual on both XP(work machine) and Vista(home machine)  I realize I probably keep my windows open way longer then normal (either until they crash or time for the new months round of updates, so nothing has changed Eric 😉 )

  73. jamemartener2009@gmail.com says:

    I hope to hear this story with the 2 fake papers in IEEE Conferences.

    One fake paper was accepted in an IEEE Conference in February 2008 and another 20 days ago.

    More details:

    http://iaria-highsci.blogspot.com/

    http://tinyurl.com/7dbpeq

    http://tinyurl.com/95r5sm

    http://sites.google.com/site/ieeeconferences/