IE October 2009 Security Update Now Available


The IE Cumulative Security Update for October 2009 is now available via Windows Update or Microsoft Update.

This update addresses three privately reported vulnerabilities and one publicly disclosed vulnerability. The security update addresses these vulnerabilities by modifying the way that Internet Explorer processes data stream headers, validates arguments, and handles objects in memory. For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. 

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments (39)

  1. Anonymous says:

    I Love IE8. Thanks a lot.

    —–Posted in PIMShell

    –PIMShell is the first Feed Reader which supports tracking and posting comments.

  2. Anonymous says:

    KB974455 causes "Type Mismatch" error when browsing with IE after installation

  3. Anonymous says:

    Why update IE5 IE6?

    Let them die!

  4. Anonymous says:

    How about MS09-056 and IE eh ?

    Silence is bliss…

  5. Anonymous says:

    ok so i tried the bing search on this blog (which yah! for once in the life of the IE blog returns actual, usable results!)

    However I noticed that the iframe that returns the results has the old windows 95 scrollbars instead of the XP ones?! Why?

    I tried another search in Firefox and Chrome and both of them have no problem rendering the XP scroll bars.

    Glad to see IE still can’t keep up.

  6. Anonymous says:

    @bing: If you use the shiny new developer tools in IE8, you can use the "Find element by click" method to find the scrolling DIV that contains the scrollbar in question. You’ll find that the Bing team has deliberately set attributes on the scrollbar to make it appear as flat gray. If you remove those attributes, you’ll find that it assumes the system theme look.

    As for why the Bing guys choose to render in a flat gray, well, you’d have to ask them. Typically, folks who decide to hardcode scrollbar colors do so because they want flashier colors.

  7. Anonymous says:

    I think the recent cumulative security update on IE 8 has created some user interface issues.

    We have checked our most recent backup 10/10, but the file is the same however, the graphical display has issues.

    Has anybody experienced a similar issue ? Is this a know issue and is there a patch or workaround for this.

    The URL is: http://www.yogasala.com/program.asp

    Thanks,

    Aslan Ozcakir

  8. Anonymous says:

    "As for why the Bing guys choose to render in a flat gray, well, you’d have to ask them"

    Good question. – It seems the folks at Bing are old school (1996) web developers that are still hooked on the "hey cool we can skin the chrome of the browser" concept even though it has been highly condemed over the years… thou shalt not modify anything beyond your own content.

    oh well hopefully that [airquotes]feature[/airquotes] will be removed in IE9.

  9. Anonymous says:

    We’re having this same issue, disabling an internal application across our organization:

    KB974455 causes "Type Mismatch" error when browsing with IE after installation

  10. Anonymous says:

    A recent update has caused Roaming Profiles to not be correctly deleted at user logoff. The folder remaining is CryptURLCache (AppDataLocalLowMicrosoftCryptnetUrlCache). If we disable "check for server certificate revocation" then the problem does not occur.

    Thoughts? I can’t determine which update has caused this.

    (Running on a W2008RTM terminal server, IE7)

  11. Anonymous says:

    Hi MSFT IE team.  I’m looking to upgrade a web app to work in IE8.  It currently runs in quirks mode (no doctype) but has several issues trying to run in IE8 standards mode.

    I have plans to update the site to be fully standards compliant w/doctype etc. but in the mean time I just need the app to work in IE8 without forcing compatibility mode.

    I thought the Application Compatibility Toolkit would advise me what I need to change but it doesn’t seem very helpful.  Is there a complete list of what stuff has changed from IE7 to IE8 that I can check for?

    Thanks,

    Trevor

  12. Anonymous says:

    We have ecountered the same issue when VBscript calls

    window.returnvalue = Array Value

    It returns "Type Mismatch" Error Message.

  13. Anonymous says:

    Is the window.returnvalue behaviour change a definitive collateral damage of the fix, or is it a bug that will be corrected some day ?

    This is really import as we also are impacted by this issue and are forced to refuse this patch for now.

    Do we need to contact back all the editors and users of an array in the returnvalue or will MS fix his mistake in changing the behaviour of a documented function ?

  14. Anonymous says:

    How can I correct this "Type Mismatch" error ??

  15. Anonymous says:

    We too are dealing with the window.returnvalue = Array issue.  This is causing 3 developers to work all hours to put in some nasty hack code to resolve for over 8000 installed app sites.  MICROSOFT you messed us up again — Thank You!

    Please provide some insight as to a way we can do this without having to come up with a hacky code fix.

  16. Anonymous says:

    Does this fix the hole you guys poked into Firefox?  Bad enough you guys can’t make secure software if your lives depended on it (your jobs certainly don’t), now you have to make other software less safe?

  17. Anonymous says:

    Hi! after the October 14 update i am unable to browse at all it simply says Internet Explorer cannot display the webpage. firefox is working fine. i am not good in IT stuff. could some just tel me in simple words, how to fix this.

    Thanks

  18. Anonymous says:

    @Sam, this is likely related to your firewall. Please see http://www.enhanceie.com/ie/troubleshoot.asp#Firewall

    @embedded, you’ll need to talk to the Firefox team about Firefox vulnerabilities.

  19. Anonymous says:

    I just got this error dialog in Firefox complaining the the "Windows Presentation Foundation 3.5.30729.1" addon was causing instability (is this related to Fiddler?)

    Is there a fix for this? and or does it also affect IE?

    Thanks

    Here’s a screen shot of the error:

    http://img2.imageshack.us/img2/1765/wpfissue.png

  20. Anonymous says:

    ah found it: Firefox addon blocked due to : "Microsoft .NET Framework Assistant and Windows Presentation Foundation, all versions, for all applications. Reason: remote code execution vulnerability"

    Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=522777

  21. Anonymous says:

    How do you classify an undocumented syntax change in VBScript? I only know one name: BUG.

    showModalDialog documentation refers it accepts an Array but since KB974455 this is no longer true. As it is undocumente, it’s a plain bug.

    Refer to http://social.msdn.microsoft.com/Forums/en-US/iewebdevelopment/thread/9cd062a1-34dd-4caa-9a77-f8a1e26031a3 for details and prepare to make changes on your web application…

  22. Anonymous says:

    Tiago is right, this IE update contains a major bug. Nevertheless, let’s hope all affected vendors will realize it’s a bad idea to use client-side VBScript in their web apps and will replace it with Javascript (or other web standards, compatible with all browsers).

  23. Anonymous says:

    It’s a good thing there is a security update now available. I can say I won’t be using it considering Internet Explorer has never been anything but a headache for me.

  24. Anonymous says:

    @blaine,

    "Good question. – It seems the folks at Bing are old school (1996) web developers that are still hooked on the "hey cool we can skin the chrome of the browser" concept even though it has been highly condemed over the years… thou shalt not modify anything beyond your own content.

    oh well hopefully that [airquotes]feature[/airquotes] will be removed in IE9."

    You really need to learn to read, this is not about the scroll bar of the browser chrome, it’s the scroll bar of a div with style overflow:auto, so it IS part of the web content, and it’s just styling the HTML content, and it has absolutely nothing to do with "skin the chrome of the browser" at all.

    I highly doubt this "feature" will be removed by any browser in the future, since it looks like the ability to style scrollbars is going to be part of the CSS3 standard.

    Anyway scrollbars in overflow sections, listboxes, dropdown menus, textareas, etc. etc. should be counted as part of the content, not part of the browser chrome, to begin with. It’s ridiculous that you can apply a blue-colored theme to your whole page but then the drop-down box has a white colored scrollbar, that completely breaks the visual integrity of the page.

    And since most browsers can skin their scrollbars to look different from the scrollbars in the system theme, it’s just downright hypocrisy trying to prevent web pages from having this same kind of capability.

  25. Anonymous says:

    I am trying to doanload IE 8.  At some point I was told that there is something wrong with my software by Dell.  I recently bought this laptop fully loaded with windows but Dell explains it is past date.  I have to use mozilla firefox to surf the net.  I am not able to fix problem my self.  Called Dell.  Their response, software problem, possible virus.  What do I have to do to get IE8 or even I back?  I am not computer savvy.  I can follow directions.  Please help.  Joanne Dean

  26. Anonymous says:

    @Mike, @Bob, @Cyntia, @matt, @Tiago, @Hydro

    There’s a report for the showModalDialog() bug that this security update caused in IE over on Web Bug Track [234]

    It includes a workaround for the bug for resolving production systems ASAP but the fix isn’t the ideal workaround.

    See site below:

    http://webbugtrack.blogspot.com/2009/10/bug-234-showmodaldialog-array.html

  27. Anonymous says:

    @Joanne Dean

    I don’t know if it would do any good (it’s hard to diagnose these kind of things remotely), but you could try the Ask IE! blog at http://blogs.msdn.com/askie/. More information would be needed.

  28. Anonymous says:

    Since the update my IE8 browser keeps telling me it needs to close as it has encountered a problem when you answer yes to close the program the error message dissapears and IE8 stays open is this a false or spurious message?

  29. Anonymous says:

    Microsoft has confirmed the "Type Mismatch" VBScript issue and is working on a fix:

    http://support.microsoft.com/kb/976749/

  30. Anonymous says:

    @Mel:

    The workaround isn’t the issue, the issue was to know if MS would officially aknoledge the issue/bug and provide a solid response to it (or refuse to), or if MS would continue to dodge the bullet.

    Seems that from the comment from @Hydro that the issue has been aknoledged and we may see a bug correction *one day*.

    And from the various feedback, it also seems that keeping the KB974455 as denied is the best response so far (even with implied security risk).

  31. Anonymous says:

    @MSFT when will a fix for the "Type Mismatch" VBScript issue be available?  If it will be in a day or two I don’t mind waiting and will not implement a hacky fix but if it will take longer than that I’d like to know so that I can take action and fix it.

  32. Anonymous says:

    This really help in terms of security purposes. Thanks a lot IE. Keep it up.

  33. Anonymous says:

    When are we having the next Internet explorer release?

    Microisoft should update with :

    – CSS 3

    -Introduce download manager,with stop and  resume download

    -SVG support

    -Separate multiple tabs into windows and viceversa

    -2D vision web browsing

    When?

  34. Anonymous says:

    I’ve tried several times to download the security for IE (Vista) get an error code 646.

    Need to know what I should do to correct what

    ever – don’t know about the internal works of

    a computer

  35. Anonymous says:

    IE always hangs after the update.

    My Windows UPdate screen also looks weird , and its disabled.

    There s a terrific problem happeend to performance after the update.

    Whn i try to close a tab in IE it hangs for a monute.It sucks really.

    Please help.

    MS if you want good programmers , recruit me!!!!

  36. Anonymous says:

    Q:

    Just upgraded to W7. As part of that I exported my favorites from Vista to a bookmark file and then reimported then into IE8/Win7. The order is now reversed (i.e. sorted Z-A instead of A-Z). Interestingly, when I import those same favorite out of IE8 and into FF, they up in correct A-Z order. Is there a simple fix here that I’m missing?

  37. Anonymous says:

    Since the update my IE8 browser keeps telling me it needs to close as it has encountered a problem – is this a common problem?

  38. Anonymous says:

    forgot to mention that it only happens after I reboot my pc. After that it works ok, but very slow

  39. Anonymous says:

    I am having problems with IE 6 Browers who ran this update and they can no longer access my site. There is no VBscript on my site.