IE June Security Update Now Available


The IE Cumulative Security Update for June 2009 is now available via Windows Update or Microsoft Update.

This update addresses seven privately reported vulnerabilities and one publicly disclosed vulnerability. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles scripts, cached content, and initializes memory.  For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for Internet Explorer 5.01 on Windows 2000, Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP and Windows Vista.  The security update is rated Important for Internet Explorer 6 Service Pack 1 on support editions of Windows 2000.  The security update is rated Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows Server 2003 and Windows Server 2008.  For Internet Explorer Beta products, download locations are available in the Knowledge Base Article. 

IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Update 6/9 – typo correction in the second paragraph.

Comments (41)

  1. IEInternals says:

    The latest IE cumulative update shipped today ; download it from WindowsUpdate when you get a chance.

  2. I have already downloaded this new IE update through Automatic Updates and it’s been helpful. I don’t see any plausible reason why some people turn off Automatic Updates and yet expect Windows to protect their computers. Thanks for providing great security.

  3. Mike says:

    Just updated Windows 7.  Now 7 fails to load.  

  4. Visual C++ team has discovered that after installing the current release of Internet Explorer (Internet

  5. @Mike: Can you be more specific about what you mean when you say "Now 7 fails to load."?

  6. Steve says:

    @Quality Directory – Re: "I don’t see any plausible reason why some people turn off Automatic Updates"

    Depends on your position.  If it is critical that your system works, you want to be sure the patches are good before you apply them.

    I worked for a College that had a huge deployment of Dell PCs.  We came in one day, and automatic updates were turned on, to auto install.  On this day though, there was a video driver update that completely hosed all PCs that got the update.  They would boot 80%, then BSOD, and reboot (rinse, lather, repeat)

    When we discovered what was happening we turned off AU on the remaining "alive" PCs… I.T. went into overtime trying to restore the other PC’s rolling back the update.

    In all, 75%+ of the entire network of PCs was "dead" for 8 hours.

    Needless to say, I.T. wisely changed the policy to download updates, but only let them apply once I.T. had run some sanity checks.

    Therefore I (like most) set my PCs to auto-download the updates, BUT I will always delay a day or two before applying.  Once I’m sure there is no uproar from updates breaking things, then AND ONLY then will I update my boxes.

  7. John Orf says:

    After installing the latest batch of Windows updates I cannot open a second tab.  Clicking on a second tab shuts down IE totally.  You can open multiple browser windows but open a second tab and IE goes away.  Anybody experience this?

  8. Greg says:

    Can this and other MS updates have easy to find file download locations for those of us that cannot use windows update?

  9. hAl says:

    Several people have reported improved performance/stability in IE8 on installing this.

    Does this patch contain changes not releated to security but to perforamnce or stbility ?

    Or does it for instance reregister IE8 related dll’s ?

  10. @hAl: This update should resolve the performance/stability issue encountered by users with huge numbers of sites in the Restricted Zone.

  11. @John Orf: Do you repro this in no-addons mode?  www.enhanceie.com/ie/troubleshoot.asp#crash

  12. samuel says:

    Maybe it’s just me, but today I can’t get IE8 to keep from crashing. I installed all the updates yesterday. Even just sitting idle on the microsoft.com home page, boom! it’s gone.

    I have tried resetting IE to all defaults (using Internet Options > Advanced > Reset).

    I have tried rebooting.

    I have tried running with -extoff

    I can’t browse for more than two or three seconds without it shutting down. I’ve submitted a few dozen crash reports, and will continue to do so…

    This is extremely frustrating. Posting using Firefox, which has been stable so far.

  13. Frankie says:

    @EricLaw – aha, so this is to fix IE8 so that it is usable with Spybot Search & Destroy installed?

    Awesome, that means that I can actually use IE again. I had to shelve it since a week after the release due to this bug.

    Hopefully this means that IE won’t be Connecting………. for ever and ever.

  14. Frankie says:

    Doh! so much for that idea! It isn’t much faster at all (if at all). Every page and new tab still says Connecting…….

    I give up – back to Firefox for good this time.

  15. Kurzbeschreibung: Finalversion des Windows Internet Explorer 8 (kurz: IE8) für Windows XP. Der IE8 ist die Internet Explorer-Version von Microsoft, welche bislang Web-Standards in der Voreinstellung am besten unterstützt. Dessen Installation ist somit

  16. Kurzbeschreibung: Kumulatives Sicherheitsupdate, das aufgetretene Sicherheitslücken im Windows Internet Explorer 8 schließen soll. Siehe Security Bulletin MS09-019 (englisch bzw. deutsch) Aktuell: ja direkter Download oder über Windows Update Be

  17. mustafa says:

    Why don’t you guys quit making browsers and simply use Firefox as the default one? You’re too far behind and don’t appear to get anything right…

  18. Stephen E. Baker says:

    @mustafa – I think for obvious reasons MS wants control over the browser they ship by default with the OS.  Dropping Trident and forking webkit/khtml like Apple and Google did seems like a proven strategy though; I’m not sure why they don’t do that.  Still security issues come up in all software; that’s why there’s a Firefox 3.0.10 and a 3.0.11 in the works.

  19. Well, I’ve just spent the better part on 6 hours fixing bugs as displayed in IE7. If someone brought criminal charges against Microsoft for crimes against humanity I think they’d win.

  20. Greg says:

    @A Rather Irritated Freelancer – you’ll want to check out Web bug track then – its full of those pesky IE bugs (and fixes!) so you won’t need to pull your hair out. 😉

    http://webbugtrack.blogspot.com/

    Well you’ll still be frustrated but at least you’ll have a solution!

  21. lilipako says:

    your system and browser is dead already and not so popular as in 90th years

  22. Marlov says:

    @MSFT – It has been reported that when Windows 7 is released in Europe that it will not be shipped with IE8 installed by default (due to the whole MS Monopoly Trial thing etc.)

    On a personal note although I don’t live in Europe I fully welcome this resolution as it enforces some sense of a fair marketplace (but that’s not where I’m going with this question).

    So if this is the outcome I’m curious as to what exactly this means?  Will there still be MSHTML and Trident code within the OS… and just the IE Browser Application is removed?

    More importantly (there is a great catch 22 here), what options does the end user have when wanting to use the internet?

    Do they get an icon that is say a "Globe" labeled "Internet" that when clicked presents a dialog with a selection of browsers to install as the default Browser?

    e.g.

    Title: Default Web Browser Selection

    Message: Windows needs to install a Web Browser to connect to the Internet. Please select your preferred Web Browser from the list below and click Install.

    {alphabetical or random list of browsers (none pre-checked…}

    +———————————-+

    (  ) Apple Safari (Logo)

    +———————————-+

    (  ) Google Chrome (Logo)

    +———————————-+

    (  ) Maxthon International Maxthon (Logo)

    +———————————-+

    (  ) Microsoft Internet Explorer (Logo)

    +———————————-+

    (  ) Mozilla Firefox (Logo)

    +———————————-+

    (  ) Opera Software ASA Opera (Logo)

    +———————————-+

         [_Install_]   [_Cancel_]

    If the above sort of flow is not included to choose which browser to install… how exactly does it work?

    When I install Windows now, the first thing I do is fire up IE so I can download Firefox but that obviously won’t work if IE is not installed.

    Thanks,

    marlov

  23. Rachael says:

    From CNET:

    Microsoft Memo to OEMs:

    "To ensure that Microsoft is in compliance with European law, Microsoft will be releasing a separate version of Windows 7 for distribution in Europe that will not include Windows Internet Explorer," the software maker said in the memo. "Microsoft will offer IE8 separately and free of charge and will make it easy and convenient for PC manufacturers to preinstall IE 8 on Windows 7 machines in Europe if they so choose. PC manufacturers may choose to install an alternative browser instead of IE 8, and has always been the case, they may install multiple browsers if they wish."

    Microsoft confirmed the authenticity of the document but declined to comment further.

  24. JayBee says:

    When do you plan to implement HTML5 in IE?

  25. Are there any yet known issues regarding KB989897 for IE8 on Windows XP (SP3)?

    I’ve received some reports in the meantime, that after KB989897 for IE8 has been installed, "Halo" doesn’t start any longer and throws error "Cannot allocate required memory. Some other application has loaded where Halo needs to be located" instead. http://support.microsoft.com/kb/830704/en-us doesn’t help in these cases, while uninstalling KB969897 is claimed to cure that issue (but have a potentially vulnerable IE8/Windows systems instead). It’s also claimed, that the "Halo" issue does *not* happen with KB969897 for IE7.

    Since I’m not having "Halo" installed (nor any other game <duck>), I’m not able to open a case with PSS (I’ve advised the problem reporters to do so meanwhile).

    Any hints? TIA

  26. Jim Conway says:

    Win xp hangs on startup after the June 10th 2009 windows automatic update. Solution: install all the updates, even the IE update.

  27. @Frankie: As noted a number of times, the primary cause of slowness in tab startup is buggy browser addons.  We highly recommend trying "No add-ons" mode to eliminate add-ons as a possible source of slowness.

    @JayBee: It’s worth noting that the HTML5 draft is far from complete.  IE8 includes some of the further-along HTML5 features; if you have specific needs for HTML5 features, we’d love to hear what your top priorities are.

    @Marlov: Even when "Internet Explorer" is not present, MSHTML (Trident), UrlMon, WinINET, and other components remain available for other applications which depend on these platform technologies.

  28. Ooops, sorry, I ment KB969897 for IE8 on Windows XP (SP3) of course here: http://blogs.msdn.com/ie/archive/2009/06/09/ie-june-09-security-update-now-available.aspx#9746324

    Any indications on what exactly may be causing the issue, which has been confirmed to be existing by more users right now?

    TIA, Freudi

  29. P. Schouten says:

    Over here the same problem as Ottmar since I installed the June security patches. Halo does not start anymore and gives "Cannot allocate required memory. Some other application has loaded where Halo needs to be located".

  30. I got that security update KB969897 for IE8 on Windows XP (SP3) but it took a long time.

  31. Great, waited for this a long time.

  32. Sheila Jarquín says:

    What can I do!!? I want to play it

  33. Chris W. says:

    I wonder if this security update, or another recent one, has something to do with a strange phenomenon we’ve seen on 3 machines running Vista. (We currently have 10 or so machines running Vista, out of a total of 60+ workstations.)

    On these machines, within the last 10 days, some process has relocated IExplore.exe (just that file!) from its normal location (C:WindowsInternet Explorer) to a generated path that incorporates IE’s version number. For example, one of the machines that was running IE 8 now has IExplore.exe in the following location:  "C:Windowswinsxsx86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_124d22632fc9f126iexplore.exe"

    When this occurs the installed shortcuts in the user’s profile (under All Programs and in the Quick Launch region of the taskbar) are automatically updated to point to the new location. However, some other aspects of IE’s shell integration are not updated. For example, the file type registration associating IExplore.exe with the HTML file type (.htm, .html) is left untouched, and is therefore broken. In addition, the App Paths setting* is left alone; this will cause problems for other apps that invoke IExplore.exe by name. (Obviously apps that use the full path will also have problems.)

    Finally, an attempt to reset IE as the default browser on the system evidently fails, although there is no error indication when this occurs. One prominent manifestation of this failure is the failure of hyperlinks in Outlook messages which formerly worked with IE set as the default browser. (Setting Firefox or another browser as the default resolves this particular problem.)

    So far, I have been unable to find discussions of a similar problem in Google searches. Does an article recently posted in MSKB explain what is going on?

    ————————

    *  The App Paths setting in the registry allows an application to be run by name (eg, START iexplore) via the Windows console’s START command or via the Windows Run dialog. (See the Windows shell integration documentation.) The relevant registry key is the following:

    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE

  34. Chris W. says:

    Correction of a brain fart in the previous comment:

    //////////////////

    On these machines, within the last 10 days, some process has relocated IExplore.exe (just that file!) from its normal location (C:Program FilesInternet Explorer) to a generated path that incorporates IE’s version number. For example, one of the machines that was running IE 8 now has IExplore.exe in the following location:  "C:Windowswinsxsx86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_124d22632fc9f126iexplore.exe"

    //////////////////

  35. Chris W. says:

    One more followup to the previous two comments:

    We’ve seen the relocation of Iexplore.exe occur on two machines that were running IE 7 at the time. (On the third machine IE 8 was already installed.) On one of these machines, an attempt to resolve the manifestations was made by installing IE 8. The installation apparently went through, but some unidentified process immediately moved IExplore again, to the path given in my earlier comment (4:22 PM).

  36. Nick Lewis says:

    This update has failed to installed on my XP SP3 HP notebook 4 times.  I even disabled my AV to see if that would help. Although I’ve seen other blogs about this install failure none of the suggestions found so far have helped.  I have also noticed that printing to my network printer no longer works.

  37. @Nick Lewis

    And the IE version you’re having running is? You may want to look for an error code to be found on the Windows Update site and the Update History there. Move the mouse pointer onto or click the "white cross on red background" symbol right beside the failing update.

  38. Chris W. says:

    This is a followup on my comment on 6/18, 4:58 PM.

    In the instance where IExplore.exe was relocated on a Vista machine running IE 7, the path of the relocated executable was the following:

    "C:Windowswinsxsx86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_2f62000919fe80c9iexplore.exe"

    Note the somewhat unexpected version number embedded in the path, "6.0.6001.18000". The initial "6" is the only digit that differs from the IE 7 version number on the machine. Also note that the hex digit sequence following "6.0.6001.18000_none_" (that is, "2f62000919fe80c9") differs from the path of the relocated IE 8 version of IExplore.exe.

    The hex digit sequence preceding the version number ("31bf3856ad364e35") is evidently a public key used in signing components of Windows Vista SP1. It also occurs in the path of the relocated IE 8 executable.

  39. jack says:

    anyone know a working solution for the halo problem with the june updates?

    ps: halo error is: it can’t allocate memory.