Internet Explorer July Out-of-Band Cumulative Security Update


Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses three privately reported vulnerabilities which could allow remote code execution. The security update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory and table operations.

In addition, the update includes two defense-in-depth protections against known techniques that are able to bypass ActiveX Security Policy when ActiveX controls have been created using certain Active Template Library (ATL) methods in specific configurations.  The first defense-in-depth  is enabled by default and modifies how ATL-based controls read persisted data.  The second defense-in-depth is disabled by default and offers the ability to regulate usage of the IPersistStream* and IPersistStorage interface implementations within individual controls. 

For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all released versions of Internet Explorer except Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003 and Windows Server 2008. 

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Update 5:41pm: removing * from IPersistStorage

Comments (63)

  1. Win7 RTM says:

    Where is the patch for Windows 7 RTM 7600.16385? Or Win 7 RTM is already patched up before it RTM and is not affected by this?

  2. John says:

    Internet Explorer 8 for Windows 7 RTM is unaffected by this bulletin.

    The IE defense-in-depth mechanism is already built into Windows 7 RTM.

  3. Mark says:

    RTM: Win7 RTM isn’t released yet. Who knows what malware your stolen franken-bits contains.

    John: Win7 RTM isn’t released. While you can speculate what is or is not in Win7 RTM, unless you cite an official source, you are not credible.

  4. Gord says:

    am I the only one that finds it funny that the primary source for IE news (the IE Blog) isn’t even running in Standards Mode in IE8? – not just renders weird but it flat out denied rendering in IE8 standards mode due to forced headers that force the IE Blog to help hold back the web.

    Too funny.

  5. Ben says:

    This update seems to have broken the ie developer tools. I am getting constant CPU usage and both ie and the developer tools hang until manually killed.

  6. John says:

    In response to Mark:

    1. Windows 7 RTM is already released for PC makers and other Microsoft OEM partners that are already receiving Windows 7 RTM software images. Check this timeline: http://www.winsupersite.com/win7/rtm_availability.asp

    2. An official source about the Internet Explorer 8 for Windows 7 RTM being unaffected by this bulletin:

    http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx

    As you can see, Windows 7 (RTM) / Windows Server 2008 R2 (RTM) are listed as unaffected.

    But if you go to http://support.microsoft.com/kb/972260

    you will see that Windows 7 RC / Windows Server 2008 R2 RC and Windows 7 IDX (former RC2) / Windows Server 2008 R2 IDX (former RC2) are affected.

  7. Anonymous says:

    Ben,

    Working for me in IE 7.

  8. hAl says:

    If killbitt protection is used in the short term to prevent activity from vunerable plugins why then are those vunerable plugins not updated in a later patch ?

  9. Jorge says:

    Installed successfully in my Windows Vista SP2 Ultimate x86, including the huge hotfix for Visual Studio 2008 SP1.

    Everything is OK here, I always take seriously the security of my PC, that’s why I have Microsoft Update turned on. 😉

    Thanks!

  10. John Hrvatin [MSFT] says:

    Ben,

    Does that happen on all sites you try to use the tools on or a specific site?

    Thanks.

  11. Thomas P. says:

    I’m seeing likewise behaviour as Ben.

    I’m running IE6 SP3 da, on a WinXP Pro SP3 da

    Step.1. Start a new IE

    Step.2. go to http://code.google.com/

    Step.3. Resize the IE window

    Woops! CPU start running at 100%, and most of the entire system becomes inresponsive. (Kill it with Task Manager)

  12. Stefan says:

    Hm… IE7/8 are running in an so calle "Protected Mode" in Windows Vista/7/NT6.X if UAC is turned on. So, how does this security issue can affect me, running IE8 on Vista? I mean.. IE8 doesn’t even have promissions to write outside of it’s sandbox. So I don’t unterstand, how this security issue can work. Shouldn’t be NT6.X users with UAC turned on be safe even against such securitry holes?

  13. EricLaw [MSFT] says:

    @Stefan: Protected Mode/UAC is a defense-in-depth feature.

    While you’re correct to note that Protected Mode can help constrain the impact of any exploitation of this vulnerability, you should absolutely ensure that you install IE updates to ensure that defense-in-depth features are not your only protection against exploit.

  14. vix says:

    after this update, IE doesn’t work anymore.  it won’t load any pages.  i have 7.

  15. woot says:

    Woot! Freedom of choice!

    Now Windows users will have a choice to not install IE!

    http://static.arstechnica.com/assets/2009/07/microsoft_browser_ballot-thumb-640xauto-7310.png

  16. DT says:

    Keeping in mind that Windows 7 already provides the choice to not install IE… I hope you understand what you’re exactly cheering about?

  17. Hexagon says:

    The whole ballot thing was ridiculous to begin with. Opera got what they wanted, and they are still whining about it. Completely childish.

    If Opera wants market share, than they should develop a browser that is actually somewhat useful.

  18. barrie says:

    @DT – the picture that @woot posted doesn’t tell the whole story.  the related article indicated that Microsoft would apply this to XP also, giving users the ability to directly install Firefox or Safari instead, AND to uninstall IE.

    Shackles be gone.

  19. Alex says:

    Update broke my IE8 and Chrome on Vista Home Premium x-64 (AMD). Network status reports Internet connectivity, FTP works, Ping works, both browsers do not.

    Error 101 (net::ERR_CONNECTION_RESET) in Chrome

    IE cannot display the webpage error in IE8 without anything useful under "More information"

  20. Nassan says:

    @Alex:

    When you run Windows Internet Explorer in no add-ons mode, does it still not work?

    You can run it (possibly) through the search function on the start menu in Vista, or by navigating to it in the start menu:

    Start Menu > Programs > Accessories > System Tools > Internet Explorer (No Add-ons)

    Have you checked the system for malware, and do you have any sort of malware "real-time" protection running?

  21. Stefan says:

    @EricLaw [MSFT]

    Okay, imagine: My IE8 isn’t full patched. I visit a malicious and I get target of a remote code execution. So, what does exactly happens? IE8 is running in a sandbox on Vista with UAC turned on. Can the punisher excute code on my whole system – or just only in the sandbox?

    If only in the snadbox: If it tries to access the filesystem outside of the "Low" folders, UAC should popup, right?

  22. richard says:

    Now I get it! You can Google on Bing:

    http://www.collegehumor.com/video:1915736

    With a name like Bing it was too hard to tell.

  23. EricLaw [MSFT] says:

    @Stefan: UAC will forbid *writes* outside of the Low folder (or more precisely, it will virtualize the writes into a harmless Low folder). However, you don’t want bad-guy code running on your computer, even at Low Rights.

  24. EricLaw [MSFT] says:

    @Alex: http://www.enhanceie.com/ie/troubleshoot.asp#firewall explains the most common source of connectivity problems after updates.

    Does the Diagnose Connection Problems button in IE turn up anything interesting?

    Netcheck (www.enhanceie.com/dl/netchecksetup.exe) can gather a log of your configuration settings and help troubleshoot connectivity issues.

  25. RickPowell says:

    Just (July 30, 2009) installed a patch for IE7 and sometimes see just a solid gray bar, about an inch wide, vertically overlaid on the middle of the browser, which thens freezes (or consumes 99% cpu).  Another co-worker just had it happend too.  Something screwy in the latest patch…  :(

  26. Stefan says:

    @EricLaw [MSFT]:

    Okay, this exactly means: Nothing harmful can happen to my PC, if I decline every UAC prompt by IE. This sounds imo good :)

    So we can say, Vista systems are by default secure of IE security holes, due to UAC.

    Btw, don’t worry, my computer systems are up2date 😉

  27. Ian says:

    Stefan, read more carefully. If the hacker exploits a bug to run code in the ie sandbox, he can still **read** your entire harddrive and upload it to his server, watch everything you type, use your machine to run a spam service, or a porn site, or distribute his malware, etc, etc.  Protected mode just makes it so that your pc isn’t **permanently** toast…

  28. Stefan says:

    @Ian:

    Okay… good point. Bur I think you missed these security-warnings, when IE asks for promissions, when a Website wants to access my Harddrive outside of "Low".

    But it seems, that it doesn’t work every time as expeced. For example, if I go to "File" -> "Open", I select a file and open these file with it’s registered program within IE’s context. Word files I’m unable to open, but txt-files works without problem. I can even modify them. But as I tried to run my batch file (simple explorer.exe kill), it doesn’t worked for me. It ask me, to enter my password in this cmd window. But when I run batch file out of IE’s context, it works.

  29. Sedat says:

    All votes were absurd thing to begin with. What we have asked about this opera and still are whining. Totally childish.

    To develop a browser that actually a little more useful if Opera wants the market share.

  30. EricLaw [MSFT] says:

    @Stefan: Protected Mode helps prevent writes to your disk, but (largely for compatibility reasons) does not attempt to prevent reads.  

    You see a UAC prompt when attempting to launch an application or a batch file because IE knows that these are not likely to run properly at Low Integrity, and hence automatically launches the elevation UI.

  31. Eric says:

    Since the system automatically updated I am no longer able to download files nor to extract their contents!  I have fiddled with Attachment Manager but to no avail.  I have even attempted a system restore but Windows XP prevents me from selecting a restore point before 7/29.

    Help!!!!

  32. EricLaw [MSFT] says:

    @Eric: What *exactly* happens when you attempt to download files?  What version of IE are you using?

  33. William says:

    IE 7/8 will dead when open below page:

    http://www.jazan.org/vb/showthread.php?t=146570

    http://www.aldair.net/forum/showthread.php?t=81162

    but it works with Firfox and Google Chrome

    please improve IE!!

  34. Harry Richter says:

    @ William

    …ever tried it with addons disabled?

    It works fine for me, although I cant read the arabic script, so I cant tell if the page is ok.

    It seems to be – again and again and again – the case that MS is blamed for buggy addons!

    Cheers

    Harry

  35. Alex says:

    Here is an update to the post about broken IE8 and Chrome: It was traced to the issue with Trend Micro Proxy Service – it literally "freaked-out" after the upgrade.

    I am trying to get a more technical description out of TrendMicro – I will post details as soon as I get them.

    Alex.

  36. William says:

    IE 7/8 on Vista/Windows 2008 will dead when open below page:

    http://www.jazan.org/vb/showthread.php?t=146570

    http://www.aldair.net/forum/showthread.php?t=81162

    but it works with IE 7/8 on Windows Xp, Firfox and Google Chrome

    It seems that IE on Vista can not process large block of text in web page.

    please improve IE!!

  37. William says:

    Hi Harry,

    Please try it on Vista/Windows 2008.

    Our Windows 2008 IE 7 is a just an IE with OS without additional plugins.

    IE on XP is OK

    Thanks,

    William

  38. @ Gord

    > the primary source for IE news (the IE Blog) isn’t even running in Standards Mode in IE8? – not just renders weird but it flat out denied rendering in IE8 standards mode due to forced headers that force the IE Blog to help hold back the web.

    Gord, I too find this entirely incoherent, inconsequent, awkward and contradictory. And I said so in the past.

    An IE blog that is auto-logical and self-respects itself and all of its purposes should trigger standards compliant rendering mode in all IE browser versions.

    If Microsoft wants people to upgrade their IE browser version and then upgrade their webpage code (markup and CSS) accordingly, then IE blog (and all other major websites entirely under the control of Microsoft like MSDN which supposedly is there to teach how to create websites, to assist web authors) should show the example, promote and practice what they "preach". "How to upgrade a website to become web standards compliant" should be exemplified, demonstrated, illustrated by all of Microsoft websites themselves to begin with.

    regards, Gérard

  39. Markus says:

    Am I the only person who thinks that the IE team has far better things to be doing with their time?

    Would you rather have a shiny super-standardsy-IEBlog which is (on the surface) indistinguishable from what they’ve got today, or would your rather have improved standards-support, performance, reliability, etc, etc, in the next version of IE?

    I know what my vote is. I know how most of the world would vote.

    YOU are trying to hold back the web. Please don’t distract the IE Team from working on things that actually matter.

  40. Alex says:

    Thanks Markus for bringing up the subject of improved-standards support.

    Today, the universal plea of web designers is that IE further adhere to web standards. The greatest example of waste today is the amount of hours spent by haggard web designers retroactively tweaking their sites in order for them to properly display in IE. The fact that IE8 cannot pass the Acid3 test is a prime example of its failure as a standards-compliant browser.

  41. Markus says:

    Alex, don’t confuse ACID3 with what actual web developers want. You can pass ACID3 with flying colors and still have miserable support for standards. The IE team should focus on the standards that matter to developers and the evolution of the web, and not get sidetracked by silly stunts like the ACID3 test.

  42. dlh2009 says:

    I tested IE8 from the beta to the final release. It is a great product, but I am having problems running Facebook, Twitter, Gmail, and other sites. I have reset IE to its defaults and it still doesn’t load pages correctly. Right now I am running Google Chrome because IE8 isn’t loading pages correctly. I noticed the problem two weeks ago.

    Is anyone else having a problem or do you guys have any suggestions?

  43. Aska says:

    Are there any plans to update IE so it can handle HTML5?

  44. EricLaw [MSFT] says:

    @Aska: IE8 supports several important HTML5 features (postMessage, DOMStorage, Online/Offline events, onhashchanged eventing).

    While still under construction, many web developers consider HTML5 a very important specification for future IE versions to support even further.

  45. EricLaw [MSFT] says:

    @dlh2009: What problems are you having specifically? What sorts of problems do you see? Do you see any error messages?

  46. hAl says:

    @EricLaw

    I thought DOM storage was no longer part of the HTML 5 spec but is now a seperate spec.

  47. travis says:

    I agree with the commenters above.  The IE Blog should be running in Standards mode to back up the move in IE8 towards standards. Implementing this can take some time so we’ll give you some time however:

    In the mean time please post an article on the IE Blog talking about how to implement a site in IE8 Standards mode (with tips on the "top 5" things that may need tweaking to work in IE8 Standards mode).

    Once you have the post up any future blog posts that talk about setting up a standards mode site can reference this post.

    Best of all commenters can add their own tips on what breaks in IE8 standards mode and how to fix things that they’ve encountered (e.g. the infamous link and image alignment issues)

    tx

  48. EricLaw says:

    @hAl: As a security PM, I don’t track the frequent changes to the HTML5 spec; we have other folks who do. At the time IE implemented it, DOMStorage was in the HTML5 spec.

    @Travis: Two things: first, the IE team doesn’t actually develop the IEBlog site; we develop IE. There’s some other group/vendor elsewhere that works on blog software. Second, we’ve done several such posts already. http://blogs.msdn.com/ie/archive/2009/03/12/site-compatibility-and-ie8.aspx is one overview which explains what you need to fix to get from a "requires Compatibility View" site to a Standards Mode site.

  49. Alex says:

    @Markus so give us an example of a browser that passes the ACID3 test and does poorly on real world standards compliance?

    @EricLaw Developers have been clamoring for SVG Tiny, and you guys still refuse to implement that.  Or even things as basic as standard DOM event handling?

    Version 8 has added things like color coded tabs to win over the masses, but done nothing to improve life for developers.  One would think that something as simple as ensuring IE Blog is standards compliant would go a long way towards proving how great IE’s compliance with accepted standards is.  Right?

    (or maybe IE is just more broken than anyone at MSFT is willing to admit).

  50. Alex says:

    @Eric passing the buck is a cheap shot.  As far as the public is concerned there is one Microsoft releasing Internet Explorer.  A Microsoft authored blog about IE that’s hacked up to make it work with IE makes all of the IE team look bad.

  51. dlh2009 says:

    @EricLaw:

    The only error message that I see is the one in the left hand bottom corner that says Error in the IE status bar when trying to use the chat feature or the applications button on Facebook. It does the same thing on Twitter or it doesn’t load Twitter at all.

  52. dlh2009 says:

    @EricLaw:

    I also for got about my Gmail problem. Gmail doesn’t load correctly in IE8, even when I try to use the compatibility button.

  53. Ian says:

    Alex, you’re obviously either a troll, or a competitor who’s rooting against IE. Go away. Let the IE team work on web browsers and leave the stupid blog software to whatever people work on that.

    dlh2009, I use all of these sites with IE8 every day and have since the beta. Sounds like there’s something wrong on your computer. You have the final version of IE8 and not some beta, right?

  54. Ian says:

    Alex– Further, your baseless and incendiary claim that the blog site is somehow "hacked up" is just silly. If you use the developer tools to force the site to run in Standards mode, you’ll see that it looks pretty much exactly the same.

  55. dlh2009 says:

    @Ian

    That is correct. I have the final release version. It just started a few weeks ago. Does Facebook use java script and is that the same as using Sun’s Java Software?

  56. dlh2009 says:

    @Ian

    I am not sure if Java and Java script are the same or go hand in hand but I unistalled Java and reinstalled it and it seems to be working fine. Thanks for your help guys!

    Keep up the good work IE8 team, great product!

  57. _Ice_ says:

    Hi !

    about IE8 system memory use.

    test:

    sestem mem size 512 or 1000.

    Lim n windows IE8  -> 20…40 unit

    free  system XP mem  size -> zero.   system near halted.

    if  close  all  20…40 windows IE8  

    system XP up free system mem on 40-70 MB and stay stabil later.

    pls, chek IE8 mem use mechenism.

    snks

    _Ice_

  58. Can't Download Flash 10 in IE says:

    I can’t download the Flash Player 10 in IE 8 because I have DEP enabled and it crashes the browser (obviously not IE’s fault, they’re trying to execute data as code that isn’t marked as code – naughty/lazy on their part). I love how even when I tell them not to give me the Google Toolbar I’m downloading it anyways.

    res://ieframe.dll/acr_depnx_error.htm#adobe.com,http://get.adobe.com/flashplayer/thankyou/activex/?installer=Flash_Player_10_for_Windows_Internet_Explorer&addon=Google_Toolbar_6.1&g=d

    Want to make your IE more secure? Disable anything you can (e.g. PDF View In Browser) related to Adobe and turn off JavaScript in PDFs.

  59. In the past two days IE8 running on Vista, on my Sony Viao, has dong strange things with CSS (divisions).  For example, http://www.nytimes.com website has a huge blank area at the top, and second column appears below first column.  Same thing happens on my own blog.  I don’t know where to report this or get info on how to fix it.  Thanks for any help.

  60. hAl says:

    I upgraded the Sun java runtime to the 6.0.15 version.

    Just to see if it made a difference I enabled the "Sun Plug-In 2 SVV helper" addon. This still turned my tabstarts in a slow pile of muddle adding at least a second to the "new tab" time.

    I thought Sun was suppossed to release a new IE8 friendly version by now. Adding a second to new tab starts for such a plugin is just ridiculous.

  61. Sal says:

    I find it funny that you tell us to the windows update web site when it won’t even work for users of the 64-bit version of the browser.

  62. Felix says:

    Sal: So? Use the 32 bit version. Or download the patches yourself manually if you’re into that sort of thing. Or, turn on Automatic Updates like the smart people.

  63. SF says:

    same here.. working on IE 7. thankz…