IE December Security Update Now Available


The IE Cumulative Security Update for December 2009 is now available via Windows Update or Microsoft Update.

This security update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer.  The security update addresses these vulnerabilities by correcting the control and by modifying the way that Internet Explorer handles objects in memory.  For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7 (except when running on supported editions of Windows Server 2003 and Windows Server 2008), and Internet Explorer 8 (except when running on supported editions of Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2). For Internet Explorer 7 and Internet Explorer 8 running on Windows servers as listed, this update is rated Moderate.

IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Billy Rios
Program Manager
Internet Explorer Security

Comments (45)

  1. Gkeramidas says:

    i just wish the rss update issue would get fixed. my feeds will not update after i resume from sleep mode and i get tired of having to disable and enable msfeedsync so they will update on schedule, instead of 12 hours from now.

    this has been going on for a year now. please release the fix, that supposedly was checked in 3 months ago.

  2. windboy says:

    thanks for your reminding

  3. Anonymous says:

    Thanks for this. I got the automatic update, and I’m happy with the new features you have added, and the troubleshooting that was done.

  4. windboy says:

    very nice…thanks for sharing..

  5. dvestv says:

    Thanks for sharing this update to ensure the safety of the IE users, in addition of windows security add-ons. In this regard, many users of IE now trust its service. Thanks to it.

  6. marc says:

    Thank you very much for sharing this update. By the way, how are you doing with SVG support in IE? Any plans , roadmaps ?

  7. dangnabbit! says:

    IE Team, please fix the closures issue. No other browser has problems with their DOM and JS engines not talking to each other.

  8. Phil says:

    Let me just speak for everyone who reads this blog:-

    Microsoft, fix every single issue with IE right now please.

    Microsoft, please add every feature that Chrome, Safari, Opera and Firefox have please.  Now would be good.

    Microsoft, please set in stone your plans and timetables for IE 9 and don’t you dare change them without writing to everyone first.  Sometime around now would be good.

    SVG and rounded corners!!!  In the next update please.

    Did I forget anything? 🙂

    (Yes I’m being completely sarcastic, I just get tired of hearing the same comments on posts that have nothing to do with those topics so I thought I’d just get it over with.)

  9. Matt says:

    Phil: You forgot a few important ones. We need HTML6 support and CSS4. Backported to IE6, as well.

  10. IE8 plugin issues says:

    Hi MSFT,

    I’m not sure which plugin is doing this but I’m finding in our in-house web app that IE8 will randomly open popup windows (as intended) but not "fetch" the page. (e.g. no HTTP Get request is ever sent (checked with Fiddler)) (so all you get is a blank white page)

    It is totally random, and the same link pasted elsewhere works fine and the popup works fine in all other browsers and IE6 and IE7.

    However once it does happen, loading that popup page will fail repeatedly until the browser is closed and restarted.

    There is no JS error (on the popup or the opener)

    I’m going to try turning off all addons and slowly re-introduce them but its a pain due to the random nature – I can only "verify" if the issue happens, not if an addon is "clean".

    Have other developers reported any issues like this?

    Since I’ve really only started seeing this in the past 2 months I suspect one of the developer addons like:

    – AOL pagetest

    – DynaTrace AJAX edition

    – MyFast (MySpace YSlow equiv.)

    – Google pagespeed

    – IE developer toolbar (I don’t think this has changed much recently – I’m just trying to use it more now to debug)

    – Fiddler2 (I got some updates for this recently)

    I’m not finger pointing (I don’t care which addon it is) I would just like to be able to isolate and remove the glitch from my dev environment(s) and test beds.

    Thanks

    Joel

  11. Phil says:

    @Matt – Darn, you’re right!  I did forget those – oh, and the ability to have IE 3, 4, 5, 5.5, 6, 7, 8 and 9 installed simultaneously without any kind of dll conflict.  

    Migrate to webkit too, in your own time MS, but now would be good 🙂

    I bash MS just as much as anyone else but sometimes I do feel kinda sorry for Dean and Eric and the stuff that gets hurled to them on here, so hopefully my posts today have put a little smile on their faces.  Now get back to work, slackers 🙂

  12. Chuck says:

    Hi Billy,

    For some reason new IE8 update is crashing IE8 on our flash and ajax update with smartscreen filter turn on. Can you check please.

    For proof of concept vist the following page with smartscreen filter turned on: http://www.buzzen.net/chatui.aspx?rm=%25%23DevCafe

    Thanks in advance

  13. Chuck says:

    ehhh typo, I meant flash and ajax application.

  14. @IE8Plugin: It’s definitely the case that some of the performance tracking addons can cause stability issues. I haven’t used MyFast in months, but the version I used was extremely crash-prone.

    Fiddler has no impact unless it’s running, and doesn’t have the problem of causing requests to not be shown.

    My guess is that whatever the buggy add-on is, it’s leaking HTTP connections, such that the connection limit is exhausted and the new window basically waits forever for a socket to become free. If you try to navigate the main window to a different page on the same site, does it work?

    @Chuck: I have no problems with that page. Are you running the latest versions of your addons? Does it crash in no-addons mode?

  15. Jason says:

    The update was installed on my fresh Windows 7 Ultimate x64 laptop last night.  IE8 is now freezing up at many sites even after reseting the browser to default settings.  For example http://money.cnn.com freezes the browser.  It almost seems like a conflict with flash??

  16. Chuck says:

    Hi Eric,

    It crashes in no-addons mode too with smartscreen filter turned on.

    This is the error message in windows event logs:

    Faulting application iexplore.exe, version 8.0.6001.18865, time stamp 0x4b077416, faulting module mshtml.dll, version 8.0.6001.18865, time stamp 0x4b078a9b, exception code 0xc00000fd, fault offset 0x000d6a3b, process id 0x6dc, application start time 0x01ca796afa055abe.

  17. Ryan says:

    Hello Guys,

    I am see many IE8 freezes in IE since the patches were installed yesterday.  I’m even seeing issues with Firefox freezing.  My son, who has a similar Win7 x64 system, is also seeing IE8 freeze issues and also his viewer for Second Life now hangs also??  Great patch to end the year with??

  18. Chuck2 says:

    Hello Chuck, My IE8 browser also freezes when I launch that link to the Buzzen Chat.

  19. chuck2 says:

    Hello Chuck,

    My IE8 also freezes when I launch the link to the Buzzen chat.

  20. Mk says:

    Feature suggestion for IE 9

    remove the search box and integrate it to smart address bar with a Kwiclick(firefox add-ons) functionality. KwiClick opens a dedicated search dialog that finds results from Google, YouTube, Wikipedia, Twitter, and more without having to leave the page. but instead of having a dialog box put the search result inside the smart address bar.

  21. Steve W says:

    @Joel(IE8 plugin issues)

    Not sure if it’s plugin based as I had it happen to me in No addons mode.  

    I found that a bunch of iexplore processes will be running when this happens.  Kill those first and then run this cmd script(search IEREREG Version 1.07) that re-register’s a bunch of IE8 dlls and that fixes it.

  22. Bill says:

    @Phil,

    You also forgot to mention APNG support. 😛 (which, coincidentally, Opera and Firefox already support. 😉

  23. hAl says:

    @EricLaw

    IE pages hanging is a fairly common occurrence.

    Some kind of recovery from slow addon which also recover/resotre the http connections would be a lot more usefull than SVG support.

    For instance kill any hanging addon and recover/reset/restore the session when a user clicks on the stop button which currently often does not do anything.

  24. jeffrey says:

    Do no Harm! My embedded youtube videos no longer work, you guys killed the flash player! yikes!

  25. Raghupathy says:

    I think IE 8 works much better in Vista than in XP,dont no about 7,we all know how IE 8 is slow  and how new tab takes all the time in the world to open in XP and dont forget the crash we often face.That’s one of the primary reason for the low percentage of people using IE-8.So no matter how much better you make the browser you have to either do one of two things,One make it work in XP,or ask people dump XP which is unlikely in near future

  26. Mitch 74 says:

    A little question: when installing IE 8 on Windows XP, I get asked to download the latest updates for IE. This is all well and good, but Jscript 5.8 updates don’t get pulled in… Is that normal?

    I’d also like to know if IE 9 will be ported to WinXP; eventhough Direct2D will be used on Vista and Seven, I don’t think it’ll work when either of these will support Direct2D in safe mode – and a browser that is unusable in safe mode is useless. So, there must be a gdi+ fallback mode… And IE 9 in XP.

  27. Mark says:

    Raghupathy: You are confused. IE8 is currently web browser most commonly used, and IE6-8 have twice the marketshare of all of the competition combined.

    IE8 works well on XP.

  28. Joel says:

    @Eric Law – it looks like I’m far from alone in experiencing IE issues with blank pages.

    Steve W. pointed out this site:

    http://iefaq.info/index.php?action=artikel&cat=42&id=133&artlang=en

    That has a registry script to fix IE.  It looks "decent".  Is there any chance you can review/endorse this?  If not, any chance you can identify which registry items are valid (e.g. to check for)

    In the mean time I disabled all my addons – I can’t figure out how to uninstall them – I did find a [Remove] button inside a [more information] link for each addon but it was disabled for each I tried. PS I run with admin rights so I’m not sure why I can’t remove them.

    I haven’t re-seen the bug yet, but its only been 2 minutes so far.

    thanks

    Joel

  29. George says:

    Ever since i upgraded to this Security update every click to change page generates this popup: This page has an unspecified potential security risk, would you like to continue. It is very annoying and time consuming, any fix?.

  30. ieblog says:

    @George: Try clicking Tools / Internet Options / Security / Reset all zones to default level.

  31. thecrochunter says:

    It’s odd that everyone’s having problems with IE, there’re all update related.

    So after I reinstalled Windows XP SP3, I decided not to update my computer with MS updates. It’s still working like it was never used. I updated to IE8, again no updates or plugins (except Flash) and no problems have arised. It boots in about 20 seconds and this is on an ancient AMD Duron 1.2GHz, 1GB RAM machine.

    I use Firefox if anyone wondered that I use IE8.

  32. thecrochunter says:

    Uh-oh. Just found a typo in my post. In the first sentence I meant *they’re*, not ‘there’re’.

    I’m not sure if people will make sense of the last sentence.

  33. Facings tanden says:

    I’m happy is passes the Acid3 test with a score of >30. Good news for webdevvers.

  34. harold says:

    @Facings tanden – IE9 does NOT "pass" the Acid3 test.  Passing that test would require a grade of 100% a mark which IE is not even half way close to achieving.

    IE9 looks from the previous blog post to be advancing in its support of Web Standards however MSFT hasn’t clarified how the mode setup will work in IE9, which is very important.  When IE8 was released it forked the logic from the old Quirks/Standards split to Quirks/Standards/IE8 Standards.

    IE9 will now present 4 rendering modes: [Quirks/Standards/IE8 Standards/IE9 Standards]

    I hope that MSFT seriously reconsiders this approach and changes to cover:

    [Quirks/Legacy Standards/Standards]

    All other browsers have just Quirks/Standards and are beautiful to code against… add a Doctype and you are in Standards mode – plain and simple.

    I’m tired of developing for all the issues in IE – I don’t want to have to do this anymore.

    We’re dropping support for IE6 in the new year (2010), and dropping support for IE7 in 2011.  Financially and mentally supporting old versions of IE is just not viable any more when there are plenty of alternate browsers that don’t suffer from the years of unfixed bugs that IE does.

    Can’t wait for 2010!

  35. nobody says:

    @harold

    Stop whining. If your job is too difficult for you do something else.

  36. mike says:

    @nobody – why should @harold not state his case?

    I love programming web apps – and if I had millions of dollars I’d still program more web apps…. but I certainly don’t and would not enjoy making them work in IE.

    Programming for Safari, Firefox & Chrome is a piece of cake.  IE8 running in "better" standards mode is tolerable but IE7 and IE6 are like trying to program web apps to run on Netscape 4.x – just plain horribly annoying.

    As I said – I love programming for the Web – but programming for IE is a PITA – plain and simple.  I’m not gonna change career paths due to and end-system that can’t keep up.  I’ll support it as long as the money allows me to but I’ll be dropping support just like @harold as soon as it no longer makes sense (which by most predictions will happen in 2010)

    Mike

  37. @thecrochunter: Failing to install updates is a bad idea; you’re putting the system at risk from a security point-of-view, and you’ll never get any fixes for known crashing bugs.

    In terms of troubles with updates– while we investigate any reported issues, it’s important to take such reports with a grain of salt– every Windows Update is successfully installed without any problem by many hundreds of millions of users. For some users, the reboot to finish installing the patches is the only reboot they’ve done for many weeks, and the reboot itself may have the side-effect of revealing a configuration problem that occurred weeks ago.

  38. wonkette says:

    I wish you guys would make a totally new browser like Safari or Chrome, built to be fast fast fast, won’t crash, supports HTML5 and all web standards, doesn’t use anything  proprietary, etc.  Open source it, too, so that others will build on it.  Give it away.

    And don’t call it IE.  Pick a new name, just like Bing was a new name for Live and is better than Live search.  A Bing Browser, perhaps.  

  39. Johnnyq3 says:

    You guys are some serious trolls of sorts going on about Webkits this and Webkits that.

    Webkits isn’t perfect and Trident isn’t either but have 3+ browsers based on Webkits is a horrible idea.  Firefox will be the only one not conforming.  No renderer is perfect and Acid 3 isn’t final.  Just remember that.

  40. thecrochunter says:

    @wonkette: It would be interesting to see if MSFT ever releases a Web browser under it’s ‘Bing’ brand.

    @EricLaw: I have used Windows for months w/o applying any updates whatsoever and no viruses were picked up.

    @Johnnyq3: I think it’s best to just leave the Webkit thing out for the time being. And, Opera doesn’t use WebKit either; it uses Presto.

    @nobody: It’s interesting to see you (negatively) commenting on someone who’s trying to make a point.

  41. dlh2009 says:

    Developers, Developers, Developers…. What is Steve Ballmer talking about?  If he is for Developers, then he would tell the IE team to start sticking with web 2.0 standards and make it easier for Developers to support IE.

  42. nustor says:

    I had the same problem like George. It’s ok now after reseting all zones to default level. Thanks!

  43. WoodyKC says:

    I made the mistake of downloading IE8 on an XP professional laptop and desktop.  I now only use Safari or Firefox on those computers.  However, my wife bought me a new laptop with Windows 7 64 bit, IE8 is great on this platform.  Another example of MS pushing you towards upgrade, something the 3rd party people love.  Safari is much better on non 64 bit machines, then Firefox, IE8 is a long way behind.

    Remember how MS tried to kill VB?  They are repeating the errors of the past.  I agree in both cases that C# is better and so is Win 7, but you can’t bully people forever.

    btw the Safari spell check is awsome, Firefox’s is good to.  Is it that beyond IE?

  44. Mitch 74 says:

    @dlh2009: some consider that Web programmers aren’t developers. Maybe Monkey is of that group…?

    @WoodyKC: from my testing, IE 8 on XP and on Vista or 7 is functionally identical (it may not have Protected Mode, but since I disable UAC and use limited user accounts on all OSes, it becomes moot) and I couldn’t find any variation in performance nor stability. One thing you can try is remove OEM settings: in a command prompt, run

    rundll32 iedkcs32.dll,Clear

    then reset the browser (Control panel->Internet properties->Advanced->Reinitialize) to give IE (all versions) a thorough scrubbing.

  45. hAl says:

    @WoodyKC

    Yes, a builtin spellchecker would be great. Much more usefull in practical use than SVG or nonstandardized html5 support.