Internet Explorer July Out-of-Band Cumulative Security Update

Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses three privately reported vulnerabilities which could allow remote code execution. The security update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory and table operations.

In addition, the update includes two defense-in-depth protections against known techniques that are able to bypass ActiveX Security Policy when ActiveX controls have been created using certain Active Template Library (ATL) methods in specific configurations.  The first defense-in-depth  is enabled by default and modifies how ATL-based controls read persisted data.  The second defense-in-depth is disabled by default and offers the ability to regulate usage of the IPersistStream* and IPersistStorage interface implementations within individual controls. 

For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all released versions of Internet Explorer except Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003 and Windows Server 2008. 

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Update 5:41pm: removing * from IPersistStorage