IE December Cumulative Security Update Now Available


The IE Cumulative Security Update for December 2010 is now available via Windows Update. This security update resolves four privately reported vulnerabilities and three publicly disclosed vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. For more information about the vulnerabilities, please see the full bulletin.

The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2458511.

The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Ceri Gallacher
IE Servicing PM

Comments (28)

  1. Will says:

    IE 9 not effected?

  2. Spindel says:

    Wierd, I only have IE9 installed and I got the update too.

  3. Loow says:

    when will the IE9 RC be released? i mean it was more then 2 month's ago since IE9 released any new version's to their real homepage, when will RC be released ?

  4. Hans says:

    Hm… KB2416400 fails for me with error 80092004, stand-alone installation fails too, all other updates installed fine.

  5. Andre says:

    @hans I have the same error like you. have you fixed it?

  6. Hans says:

    @Andre: I haven't, but I believe the problem is because I have installed a hotfix that fixes a problem fixed by this cumulative update, so uninstalling it would probably solve it.

  7. Steve says:

    I hate to repeat this here but once a post on the IE blog is not the latest post it gets ignored.

    Can someone from Microsoft please make a statement about shutting down the IE6/IE7/IE8/IE9 images at http://www.spoon.net/

    ======================================================================================================

    This was **THE** most useful resource for testing multiple versions of IE and the shutdown really ticked developers off!

    As a long time web developer of Enterprise Web Applications I've tried all the options out there to try and simplify testing IE and the lack of realistic options is a royal PITA.

    1.) Multiple IEs – IE8 breaks the functionality of IE6's textboxes – thus its a NO-GO

    2.) IETester – works great until you need to test popup interaction and then it fails – thus a NO-GO

    3.) Virtual PC with timebombed images of IE6, IE7, IE8 – works ok, but the 12Gigs of HD space needed is frustrating when each full image of Windows dies 4 times a year, running a full Windows image is slow and you have to beg for updates because the releases are not co-ordinated and announced well at all – thus its a NO-GO

    4.) IE Super Preview – Last I checked this did not allow full testing of IE user interaction, JavaScript DOM changes, popups etc. – thus its a NO-GO

    5.) Multiple PC's to run multiple versions of windows and IE.  With all the hardware, software, and physical space needed – its a NO-GO

    6.) Spoon.net IEs – They work, they work just like local native apps once running, and there's no hacking of my real local IE install. – the **ONLY** problem with these IE's is that Microsoft shut them down

    Please understand that we (developers) just want something that works.  Testing in multiple versions of IE is a pain to begin with and with IE9 on the horizon it is only getting worse.

    I'm not sure where the issue stands with Spoon, but I would really like a solution worked out fast.

    Steve

  8. Prior Semblance says:

    @Steve

    Stop worrying about IE6 =p

  9. Richard says:

    No mention of the CSS import rule vulnerability?

    secunia.com/…/42510

    There's nothing on this blog, nothing on the MSRC blog, and no sign of an advisory. Presumably a remote code execution exploit isn't important enough to mention?

  10. Richard says:

    No mention of the CSS import rule vulnerability?

    secunia.com/…/42510

    There's nothing on this blog, nothing on the MSRC blog, and no sign of an advisory. Presumably a remote code execution exploit isn't important enough to mention?

  11. Richard says:

    Sorry for the duplicate – the "Post" button doesn't seem to work in Firefox.

  12. n0d says:

    WHEN WILL IE9 "RC" BE RELEASED IN THE ie.microsoft.com/testdrive WEBSITE ? ? ? SOMEONE PLZ ?

  13. Switched forever says:

    I am switching today to Opera 11 because of the dumbed down non-customizable POS IE9 is. Nothing matters more than usability and customizability and your software lacks that. IE8 wasn't so bad but you BLEW IT with IE9.

  14. Ottmar Freudenberger says:

    @Hans & @Andre

    Just in case my guess that your're German is correct, you may would like to have a look into my (german) article about the possible issue: patch-info.de/…/1005

    Bye,

    Freudi

  15. Steve says:

    @Prior Semblance – I wish I could… for Enterprise Web Apps… supporting IE6 for a little longer is unfortunately a requirement.

  16. mocax says:

    off topic… but when will internet explorer ever have a "Show Blocked pop-up" option?

    I only have the choice to temporarily show pop-ups. But that will mean refreshing the page again. This is BAD if I'm doing payment. I'll either end up paying TWICE or lose all transaction info….. :(

    Firefox is able to do it, it lists the popups, and lets me choose which one to open…. why not in internet explorer?

  17. online-article.blogspot.com says:

    ok thanks for update

  18. zzz says:

    If I am on Win 7 SP1 RC and have not yet been offered this through WU, should I be worried / uninstall RC or attempt installing this manually? Or is SP1 RC already safe.

  19. berzokrm says:

    This is my first time comment, so please forgive any ignorance. I have been using Auto Updates feature for my Windows XP (latest service pack, etc) for a long time (a few years) without any problems, and most recently have received and installed all the December updates EXCEPT for the security update KB 2289162. My Dell 8000 successfully downloads the security update, BUT fails to install it with the following message resulting: "Auto Updates: Some updates cannot be installed: Security update for Microsoft Office (2002) XP KB 2289162." Additionally, everytime I click on OK to the "error message," the system then automatically redownloads the update but doesn't let me install it. I have disabled my Norton 360 features; I have enable them, both to no avail. Previous security downloads have installed without any problems. Any suggestions, advice, direction would be greatly appreciated.

  20. Loow says:

    someone please when will IE9 RC be released on this microsoft IE9 website ? because my IE9 BETA1 does not work well and sometimes it hangs on some website.

    so when can i download IE9 RC please anyone ?

  21. Loow says:

    someone please when will IE9 RC be released on this microsoft IE9 website ? because my IE9 BETA1 does not work well and sometimes it hangs on some website.

    so when can i download IE9 RC please anyone ?

  22. Loow says:

    someone please when will IE9 RC be released on this microsoft IE9 website ? because my IE9 BETA1 does not work well and sometimes it hangs on some website.

    so when can i download IE9 RC please anyone ?

  23. hexaae says:

    Please, fix a VERY ANNOYING bug in IE9beta:

    after its installation all email programs (Windows Mail on Vista or WLM2011 with Vista/7) add a '?' at the beginning of outgoing mails (e.g. "?Hello,"). The only workaround is to use Unicode UTF-8, all other codesets suffer this bug. Once you remove IE9beta everything returns ok.

  24. ST says:

    Microsoft Internet Explorer CSS Import Rule Use-after-free Vulnerability

    http://www.vupen.com/…/3156

    wooyun.org/…/wooyun-2010-0885

  25. James says:

    Setting the innerHTML is still broken in IE9 platform preview 5/6. It's pretty disgusting that Microsoft hasn't cleaned up their act with adhering to the specs. – yes that's right… The specs! as of HTML5 innerHTML is a standard setter/getter in HTML DOM manipulation and it ***must*** work on all elements in the DOM that can contain HTML.  Until IE fixes this IE9 will absolutely NOT be HTML5 compliant!

  26. Barb says:

    This IE9 beta sucks…..how do i go back to IE8…..when i try to download IE8 it tells me i have IE 9( well i don't like it and wanna go back)

  27. electronics says:

    get electronic components from http://www.hqew.net and http://www.partinchina.com