IE Cumulative Security Update Now Available


Today we released a Cumulative Security Update for Internet Explorer.  We’ve released this Cumulative Security Update earlier than originally scheduled based on malicious activities reported on the web. The update is available via Windows Update and Microsoft Update. Most users configure their machines to update automatically; you can find more information on that here.

This update actually includes 236 separate packages for all the different languages and versions of Windows and IE that customers run and Microsoft supports worldwide. We release these packages simultaneously for all supported products and languages as part of this update. The complete matrix of browsers, operating systems, and languages is available in the security bulletin. At a high level, these packages cover:

  • Seven operating system versions: Windows 2000, Windows XP, Windows Server 2003, 2008, and 2008 R2, Windows Vista and Windows 7. Customers run 32-bit, 64-bit, as well as Itanium versions of some of these operating systems, as well as a variety of different service packs.
  • Four different versions of IE: 5.01, 6, 7, and 8.
  • All supported languages. Older versions of Windows require separate language-specific packages, typically between 18 and 25. Windows Vista and later operating systems have a single language-neutral binary to update IE.

We test each security fix thoroughly with different variants of the security issue. We also test the entire package extensively for compatibility and reliability, as well as any setup, deployment, and manageability issues. Also, security updates are cumulative and contain all previously released updates for each version of Internet Explorer, to make securing any system (one updated a month ago or never updated at all) easy.

This update addresses several vulnerabilities including the one described here. Other blog posts describe specifics. Some of these vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.  Note that IE8 users on Windows 7 have extensive defense in depth protections with DEP, ASLR, and protected mode that make remote code execution from a malicious site extremely difficult.  Microsoft therefore strongly recommends customers upgrade to IE8 to benefit from these extensive defense in depth protections.

For detailed information on the contents of this update, please see the following documentation:

We encourage everyone to set their operating system to automatically update with the latest security updates for all their software.  You can find more information here.

 

Dean Hachamovitch

IE General Manager

Comments (60)

  1. Anonymous says:

    Thanks for the update Dean.

    For all those smart-a$$es out there making comments about using different Browsers/Operating Systems: Get over it!

    Are you perfect? No., So don’t expect everything else in life to be… perhaps you need to realign your expectations with reality.

  2. Anonymous says:

    It seems like there’s an update each week as I recall a cumulative update was applied just last Friday on my Vista box.

  3. Anonymous says:

    Glad to apply this as this update addressed this issue: http://www.microsoft.com/technet/security/advisory/979352.mspx

  4. Anonymous says:

    It seems like this release has a lot of issues so far.  They should do more testing before letting it go public.

  5. Anonymous says:

    I did not have any issues with this security update.

  6. Anonymous says:

    Just wanted to highlight a new IP lookup service: http://ipboo.com   I use it alot myself to check my own IP. Totally recommend!

  7. Anonymous says:

    my internet exploxer stop working sometimes in window7. Plesae download patch or  fix

  8. Anonymous says:

    my ie stops sometime using window7

  9. turbo says:

    Thanks so much!!!!

  10. turbo says:

    Thanks so much!!!!

  11. iPhoneKönig says:

    IE8 really feel faster after installing this cumulative update?

  12. Anonymous says:

    I just upgraded to Firefox 3.6 instead.  Works much better.

  13. Anonymous says:

    How many configurations does something like this actually get tested on?

    What is the process to test on so many systems?

  14. Anonymous says:

    ted: IE is a system component, so if you don’t upgrade it, you’ll still remain vulnerable even if you don’t particularly use it to browse the net.

  15. Anonymous says:

    Arieta: well, I just upgraded to GNU/Linux

  16. Anonymous says:

    obj-juan: and the first time there’s an alert in a gnu/linux program you use, will you swap to osx? and then to BSD? and then os/2?

  17. Anonymous says:

    Is it just me, or does IE8 really feel faster after installing this cumulative update?

  18. Anonymous says:

    @obj-juan, what are you doing on IE blog then?

  19. Anonymous says:

    In related news: "Microsoft Learned of IE Zero-Day Flaw Last September"

    http://www.wired.com/threatlevel/2010/01/microsoft-zero-day-flaw

  20. Anonymous says:

    @Arieta

    IE is a normal application, just like Firefox, the only difference is that IE is preinstalled.

  21. Anonymous says:

    @Luc

    I wouldn’t call anything that prompts me to restart the computer after updating it a "normal application". Didn’t most normal applications stop doing that after Windows 98/Me?

  22. Anonymous says:

    I installed it this morning and it caused a BSD on my 64-bit Vista system.

    I got it going again, but this isn’t helpful.

  23. Anonymous says:

    @Steve Jones: It caused a BSD?! Man, I hate when patches cause free operating systems to show up. 😛

    On a more serious note, have you checked your dump/minidump to see what the cause was?

  24. Anonymous says:

    Has anyone from MS ever been fired b/c of these security problems?  If my track record was as bad, I’d have been shown the door a long time ago.  Is there accountability?

  25. Anonymous says:

    After restarting our server2003R2 machines, our static IP settings were magically changed to obtain an IP using DHCP. People could not access our web site. Why would this update change our IP settings?  

  26. Anonymous says:

    I’ve recently installed this cumulative update in my virtual machines with Windows 2000 SP4, Windows XP SP3 and Windows Server 2003 SP2 R2 and it worked fine! Also in my laptops with Windows Vista SP2 and Windows 7 – no problems at all 😉

    I don’t care about restarting the computer, it’s fine for me 😉

    I hope this 2010 we can see IE9 with a much better standards’ support 😀

    Best regards from Peru!

  27. Anonymous says:

    <<Why would this update change our IP settings?  >>

    It wouldn’t. You did something else that just happened to take effect because of the reboot.

  28. Anonymous says:

    I’ve updated several machines at home and at work with a mix of OS/browser combinations, both physical and VM, 32 bit and 64 bit, and I didn’t have a single problem on any of them.

  29. Anonymous says:

    Static IPs changed to DHCP.  Any suggestion other than we must have changed something? I know for a fact that nothing changed on one of the two machines just download and reboot. The other is our production web server and I’m don’t think anything was changed on that machine. Yet they both were reset to get IP using DHCP after reboot.

  30. Anonymous says:

    I just installed it, and it ate my cat… it got better, but disconcerting nonetheless.

  31. Anonymous says:

    @Dan,

    Maybe some network driver issues with the update, or something. The possibilities are endless due to the infinite possible combinations of hardware and software on a system. Maybe the update just don’t like your network driver + SCSI driver combination, or your network driver + graphics driver combination, or network driver + something else combination, basically, it’s just bad luck (or maybe not so bad since it’s easily fixable)

    This kind of things can happen all the time with the wide variety of software and hardware available, something can run fine on a million systems, and it may just crash your system.

  32. Anonymous says:

    KB 978207 caused every application that uses IE7 including IE to crash. Almost no software installed on this machine. Rebooted multiple times, disabled all add-ins – no change.

    Uninstalled, rebooted, reinstalled, rebooted

    fine

    Thanks for the awesome Q/A

  33. Anonymous says:

    @MDR: Collecting more information about this problem will enable further investigation into what is wrong with your particular system. Which version of Windows are you using? What other applications were broken?

    http://blogs.msdn.com/ieinternals/archive/2009/10/12/Collecting-Internet-Explorer-Crash-Dumps.aspx explains how to get the "crash bucket" information and/or an actual dump of the problem.

    Did you contact Product Support?  (http://support.microsoft.com)

  34. Anonymous says:

    Update crashes Word and Excel 2007 as well as IE 8.  Rebooted several times.  Only thing that fixed the problem was using an earlier restore point.  Using Windows 7.

  35. Anonymous says:

    I had the same problem – patch KB978207 installed and after the reboot IE8 crashed every time I started it, as dis Outlook 2007 when I tried to read an email.  Only thing that cured it was restoring to before th parch.  I am running Windows 7 too.

  36. Anonymous says:

    system nightmare.  windows 7, 64bit.  browser slow, outlook dead.  rebooted five times, will restore.  

  37. boen_robot says:

    I have installed this update from Windows Update on Windows 7, as well as on Windows XP at least 5 times now, on different computers, and haven’t had a crash so far. And all computers had a fair amount of software installed on them before the update process started.

    To anyone experiencing problems, I have to ask – do you have any kind of "registry cleaner" programs or any kind of "clean up" and "tune up" tools? Do you have FlashGet or another kind of a download manager? Because those are the two primary causes I’ve found to dramatically affect IE, and those are the only kind of things I don’t install anymore, exactly for that reason (Note that I do install a torrent client though…).

  38. Anonymous says:

    Does this update includes some improvements in SVG support ?

  39. Anonymous says:

    After installing the patch, the layout of my web-application and several other sites are not displayed correctly anymore.

  40. Anonymous says:

    @carlos: sure! It makes sense that a mere security update would slip in new major features that aren’t security related, right? And without letting you know about it, too.

  41. Anonymous says:

    Like many people here, windows update installed the KB978207 on to my Windows 7 64bit installation. IE8 crashed out after 4 tabs were opened,Firefox also went the same way after multiple tabs were open. Windows Explorer failed to show my directories – non responding, and generally windows came to a complete stop. I had to reboot multiple time. In the end uninstalled the patch, system is back to normal.

    Is it safe to say that as long as you have IE8, you should be fine. Is there really a need to install KB978207?

  42. Anonymous says:

    I think the first list item needs to be corrected. It does not work with IE8…please instead use with IE8…

    http://www.microsoft.com/downloads/details.aspx?familyid=e59c3964-672d-4511-bb3e-2d5e1db91038&displaylang=en#AdditionalInfo

  43. Anonymous says:

    @John: I believe you’re simply misreading the page. It says, basically: "Do not try to use the downloadable Developer Toolbar with IE8; instead simply press F12 to get the built-in developer tools, which obsolete the old downloadable toolbar".

  44. Anonymous says:

    I have installed this update on hundreds of machines so far (mostly via WSUS). These include Windows XP and 7. Bare metal installations and a lot of Virtual Machines (VDI: VMware View 4).

    I also installed it on a lot of Terminal Servers, RDS Servers and a couple of Citrix XenApp farms.

    I’ve seen no problems with this update, great quality!

    That said, I didn’t see any problems with updates since Windows NT 4, Service Pack 6 (not 6a).

  45. Anonymous says:

    Applied the update along with others to my Vista Home Premium SP2 and the system was unable to start windows.  Works fine once restored to pre-update restore point.  Did the update again with only the cumulative update.  Same result.  Conclusion, the update is the culprit.  Guess I’ll have to remain vulnerable.

  46. martinm79 says:

    @ted I also use de Firefox, but IE is my favorit Browser.

    The Firefox have also Bugs.

  47. Anonymous says:

    Firefox has bug as any software.

    But critical/security bugs in Firefox are corrected much faster than Microsoft do.

    It’s the only way its hurting : it seems MS was aware since last september? it seems the commercial pressure was strong enough for this release, not a security pressure.

  48. Anonymous says:

    @GeoVah

    [quote]But critical/security bugs in Firefox are corrected much faster than Microsoft do[/quote]

    When looking at the patches by Mozilla for Firefox we regularly see patches for critial leaks that are more than a year old. Firefox patches for critical vunerabilities are not particulalry fast.

    I do not see any justification for your claims.

  49. Anonymous says:

    The IE Team needs to drop their willful ignorance of IE’s bad week and actually make a blog post repenting.

  50. Anonymous says:

    Nice to see you again, Fiery! The new trolls just don’t have as much personality.

  51. Anonymous says:

    @Geovah

    Read page 37 again and find that Mozilla has less exposure days because not because their browser is less vunerable (it actually has double or triple times the numbers of patches) but because they have better responisble disclosure.

    That just shows that security researchers have a tendency to report IE vunerabilities more often publicly.

    However those figures show that Firefox actually has tons of vunerabilites in 2007 and 2008 (103+83) compared to IE (28+31).

  52. Anonymous says:

    I installed the IE8 Update and now we are having issues on our Intranet with cookies.  I am on Windows 7 and get the following error "Object doesn’t support this property or method: ‘Cookies’".  Anyone else having this issue?

  53. Anonymous says:

    Finally discovered the software clash that stops IE8, Word and Outlook 2007 working at all after patch KB978207.  It is PGP encryption 9.8 – even without the services running.  Once this is uninstalled all MS products work fine.

  54. Anonymous says:

    Faulting application name: iexplore.exe, version: 8.0.7600.16385, time stamp: 0x4a5bc69e

    Faulting module name: urlmon.dll, version: 8.0.7600.16490, time stamp: 0x4b2c9600

    Exception code: 0xc0000005

    Fault offset: 0x000a9cae

    Faulting process id: 0xaec

    Faulting application start time: 0x01caa22b43480956

    Faulting application path: C:Program FilesInternet Exploreriexplore.exe

    Faulting module path: C:Windowssystem32urlmon.dll

    Report Id: 53d14c8a-0e24-11df-aaae-8000600fe800

    My IE always crash, this is the event log. any ideas?

  55. Anonymous says:

    Be Aware!

    After installing this update I was getting random BSOD crashes that would happen within an hour of logging on to the computer.

    I’ve definitely narrowed it down to this update. Install the update and get a BSOD within an hour. Uninstall the update and never get a BSOD. Ran for two days without the update and no BSOD, tried installig it again and wham … BSOD within the hour!

    Haven’t narrowed down exactly what is happening yet. But I’ve had to hide this update to prevent the BSOD issues.

    Running Windows 7 Enterprise x64 with IE8

  56. Anonymous says:

    @lynx: You’re mistaking coincidence for causality. BSODs occur when your computer’s hardware is failing, or when a driver running in Kernel mode crashes. None of IE’s components run in Kernel mode, and no (sane) driver depends on IE components. So, the cause of your problem isn’t this update. You should look in your system’s event log for more information on the BSOD, specifically what the error code is.

  57. Anonymous says:

    @Junge Wang: That looks like a rarely encountered issue. Please try this: click Tools > Internet Options > Delete Browsing History. Check the "Temporary Internet Files" and "History" checkboxes, and then click the "Delete" button.

  58. Anonymous says:

    I wonder why I got no autoupdate for this in Windows 7. I didn’t notice any autoupdate nor is there any in the Update History. I thought it may come at the next patch day. But now I will install it manually.

  59. Anonymous says:

    @EricaLaw: It works, thanks a lot.