Microsoft Security Bulletin MS13-008 – Critical


Today, we are releasing an out-of-band security update to fully address the issue described in Security Advisory 2794220. While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.

This security update resolves one publicly disclosed vulnerability in Internet Explorer versions 6, 7, and 8. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 and Internet Explorer 10 are not affected. For more information, see the full bulletin.

Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

— Tyson Storey, Program Manager, Internet Explorer

Comments (43)

  1. Prior Semblance says:

    Anyone still using IE6 or IE7 deserves to get hacked, should have limited this fix to IE8 =p

  2. Todd says:

    Is this the security hole with the mouse movements being tracked outside the browser window or is this a new security hole?

  3. yuhong2 says:

    Prior Semblance: That is not how the support lifecycle works. Yes, even IE 5.01 for Windows 2000 was supported until 2010.

    Todd: No, that is another more serious zero day that can be used for remote code execution.

  4. Windows RT Fail says:

    Are the rumors that Microsoft is planning to ditch Windows RT development true?

    We know that Fujitsu, HP, Dell, Samsung, Toshiba & Acer have all dropped (or severely delayed) any intention of building a Windows RT tablet due to the complete lack of demand for the OS/Device and the totally absent marketing material explaining that these new Windows tablets can't run windows applications.

    Insiders with connections to Mary Jo Foley and similar are hearing that there is trouble in the hen house and that a major disruption in the RT department staff shake up will seal the end of the RT line.

    Will Microsoft keep their promise of 4 years of support? or will they ditch support like a cinder block like they did with Windows Phone 7?

    I'm really wondering if trying to support IE 10 in Metro mode is even worth it with where this market is going – it seems like a ton of work for a DOA device/OS.

    R.I.P. Windows RT

  5. @Microsoft says:

    IE blogs other than English should translate a new report early.

    Four affairs have accumulated.

  6. @Yuhong says:

    I know, I was joking that's why I put =p  Although it would be nice if Microsoft stopped supporting older versions of IE for so long, there's really no reason for anyone to still be using an 11 year old browser.  IE7 is slightly understandable, but still anyone on XP has had nearly 4 years to update to IE8.

  7. confused says:

    Why are the downloads only available in English?  We also need to deploy French.  Pretty annoying.

  8. فهد says:

    مشكوور علي البرنامج

  9. Listener says:

    @ Windows RT fail: Have you got any links for backing these rumors? I would love to know more.

  10. Gordon says:

    OMG! the spam filter on this blog is insane! trying again for like the 10th time!

    @Listener – I don't have any sources willing to go public on it yet but I too have heard the rumors.

    As for the vendors that have ditched Windows RT there are several and they were very public about it:

    Samsung: http://www.electronista.com/…/samsung.joins.hp.toshiba.on.list.of.companies.refuting.rt.at.present

    Toshiba: http://www.windowstablet.tv/…/741-toshiba-drops-windows-rt-tablets-in-favor-of-windows-8-tablets

    (part 1)

  11. Gordon says:

    (part 2)

    Acer: article.wn.com/…/Acer_delays_Windows_RT_tablets_as_it_gauges_Surface_acceptan http://www.bbc.co.uk/…/technology-20156061

    HP: lazytechguys.com/…/report-hp-drops-windows-rt-as-microsoft-readies-surface

    I'm presuming that the spam filter is looking for a ratio of plain text to links therefore this is just a bunch of garbage text to overcome the blog software's inability to properly detect valid content.  In addition of course I need to ensure that I don't wait too long on this page or the timer will deny my post.  Did I mention that the IE Blog comment form is frustrating beyond belief?

  12. Gordon says:

    (part 3)

    Dell: techbeat.com/…/dell-hp-and-asus-windows-8-tablets-delayed

    Best of all even Microsoft Employees haven't got a clue how to gently tell customers that Windows RT won't run windows apps!

    http://www.theverge.com/…/windows-8-vs-windows-rt-surface-confused-microsoft-store-employees

    CNet has the top 10 list of why Windows RT just can't succeed.

    1. Flash only works on approved sites.

    2. So-called legacy apps — the traditional programs for older versions of Windows — won't run on Windows RT.

    3. Apps can only be purchased through the Windows Store.

    4. The apps that are available are pretty limited.

    5. Even some traditional Microsoft programs won't work with Windows RT.

    6. You can only get Windows RT already bundled on a device.

    7. Windows RT will have a desktop mode, but it will be restricted to pre-installed, Microsoft-produced software.

    8. For business users, Windows RT is less than ideal.

    9. The number of Windows RT devices is pretty limited.

    10. Overall, Windows RT vs. Windows 8 is pretty darn confusing.

    8 is the kicker for me… they try to release a tablet with a focus on the business market vs. the consumer market (iPad)… and they give users the real windows desktop… then deny them the ability to install **ANY** apps! Seriously? WT_?!?

  13. Harry Richter says:

    Here is a nice one from blog.jquery.com/…/the-state-of-jquery-2013

    Quote: "jQuery 2.0 now has more patches and shims for Chrome, Safari, and Firefox than for Internet Explorer!"

    Now you know where the really compatible browser is.

  14. Freda Breau says:

    just started hope it fine

  15. Steve says:

    @Harry. That is good news (that IE9+ is so much better now)

    However since IE8 was released in 2009 we'll need to support it likely for another 5-10 years in the enterprise.

    This is why we were sooo harsh on Microsoft to fix issues in IE6, IE7, IE8, etc.

    It's just too bad that IE10 metro was such a failure.

  16. Yannick says:

    @Gordon

    1. Flash only works on approved sites.

    And with that, it's the only mobile OS/Browser that supports Flash. Flash doesn't work on iOS/Android

    2. So-called legacy apps — the traditional programs for older versions of Windows — won't run on Windows RT.

    Do they work on Android or iOS?

    3. Apps can only be purchased through the Windows Store.

    Same way is succesful, look at Apple.

    4. The apps that are available are pretty limited.

    That's why they are called "apps". Also, it's a young system, it needs to grow too.

    5. Even some traditional Microsoft programs won't work with Windows RT.

    Ho wow, is there ever said it would?

    6. You can only get Windows RT already bundled on a device.

    I can't get iOS without a device, and that counts for Android to, without device, you can't do much whit software.

    7. Windows RT will have a desktop mode, but it will be restricted to pre-installed, Microsoft-produced software.

    And their point is?

    8. For business users, Windows RT is more than ideal.

    Fix that for them.

    9. The number of Windows RT devices is pretty limited.

    What has the device count to do with the OS?

    10. Overall, Windows RT vs. Windows 8 is pretty darn confusing.

    ARM -> RT, 86x -> 8

  17. steve_web says:

    using the latest beta version of Fiddler to see if it reveals any additional insight as to why the IE Blog comment form fails to work  85% of the time.

    this is a quick 30 second turnaround time post

  18. steve_web says:

    next test… after 3 min… and after opening other blog links into other tabs.

  19. Raymond says:

    When is IE 10 going to be done for Windows 7?

  20. steve_web says:

    yup… all 4 delayed tests failed.

    unfortunately nothing in Fiddler sticks out indicating the issue (cookies, headers, etc.)

    thus the issue still appears to be 100% squarely to do with the blog software and the famously un-reliable legacy ASP Postbacks.

    so for the like… hmmm, 5,000th time Microsoft… please fix the blog software or hire someone to do it.

  21. Henry Hoffman says:

    Hi IE team. Great job thus far. I was wondering if there's any plans to improve JavaScript performance on IE10 for ARM devices?

  22. Harry Richter says:

    @ steve_web

    Yup… we all know by now that you cannot handle the blog software and accept the limitations imposed by the server side software in order to block spam. Those limitations I for one appreciate and am happy to have. Except for some trolling by the fundamental anti-Microsoft Taliban this blog is essentially spam-free.

    We know it by now from the ranting above and from all similar in previous posts. No need to reiterate them again and again and again….

    What you probably do not know is the term “netiquette” which in this case means to post only things relevant to the topic at hand. What you also probably don’t know is that this kind of ranting has only one effect: your posts will be ignored simply because they come from you. So even if you have something to tell us relevant to the topic at hand, it will be missed. I’ve been a little more patient than others, so probably the majority has already given up on you.

    Harry

  23. pmbAustin says:

    @Gordon, instead of complaining about the timeout on the blog, just log in with your Microsoft Account (who doesn't have one at this point?!?), and check the "remember me" box, and you'll never have to worry about it again.  Or, you know, you could just go on bitching and complaining for no good reason.

  24. pmbAustin says:

    On a side note, I've been having consistent issues with IE10 Desktop since upgrading to Windows 8.

    In particular, I'll get randomly hanging tabs, run-away processes (8-10 iexplore.exe processes for just two tabs open… and all tabs seem to be running in the SAME process), and worst is something gets messed up that affects "Open" dialogs badly.  This latter thing is exhibited by trying to do things like select a picture to tweet or upload to facebook… the dialog opens, and all the picture previews (large icons) are black, or just missing.  File type icons even in list/details view are black squares.  The ONLY solution to this is to exit out of IE completely, ensure all iexplore.exe processes are gone (killing any that hang around) and restarting.  Additional symptoms include not being able to see the Facebook command bar at the top of the page (i.e. it's just blank… no notificatinos or anything).  It's THERE, you can see the mouse change as you mouse over the invisible controls, but you can't see anything but white.

    All of these things happen to me on a fairly regular basis.  I tend to keep IE open, use lots of tabs, and just sleep the laptop between sessions.

    Anyone else noticing weirdness like this?

  25. brian says:

    @pmbAustin – just login with your Microsoft Account (who doesn't have one at this point?!?)   – are you serious?!  I don't know anyone with a Microsoft account!

    Unless you are not old enough to register for a Gmail account why on earth would you have a Microsoft account?

    As for the blog comment system being broken – we all know it is but Microsoft has yet to even acknowledge the problem.  I suspect until Microsoft actually accepts that there is a problem, readers will continue to complain that the system is broken. (not just the spam filter)

    It is frustrating as hell that the blog software for a blog this popular is so horribly broken and erases all of your hard work but it is a massive insult that Microsoft has shown no intention to fix it.

    THAT IS WHAT WE WILL CONTINUE TO COMPLAIN ABOUT UNTIL MICROSOFT STEPS UP TO THE PLATE TO ADDRESS THE ISSUE.

  26. EricLaw says:

    @pmbAustin: What, if any, browser add-ons do you have enabled? Do you have 3rd party AV/security software installed?

    @brian: Hotmail/Live/Microsoft authentication is used by hundreds of millions of users daily.

    @steve_web: My assumption is that the ASP.NET session injects an anti-CSRF token into the comment form, and when you open another post in another tab, the token in the first form becomes invalid. (This is just a guess, obviously.)

    It's worth mentioning that MSDN Blogs are running on a 3rd-party product; Telligent Community Server, which you can see by viewing the page source.

  27. sikuramen2012 says:

    It turns Windows 7. Still more, is IE10 the formal version?

    Do your best.

    http://www.zdnet.com/microsoft-inches-closer-to-delivering-internet-explorer-10-for-windows-7-7000009975

  28. IE going to Webkit says:

    It appears that Opera is switching to Webkit:

    techcrunch.com/…/operas-new-ice-mobile-browser-launching-in-february-for-android-and-ios-drops-presto-for-webkit

    So, we are all wondering now if Microsoft will ditch away its Trident stuff soon and embrace Webkit too.

    That would be great!

  29. Mycrosoft says:

    IE 10 for windows 7 will be finish in november 2013.

  30. fix plz says:

    This snippet of code will crash any IE version. Might want to look into fixing this.

    http://cdpst.net/hhrxouog2

  31. Prior Semblance says:

    Yes, everyone go webkit!  Absolutely nothing can go wrong with tossing aside all competition!

  32. steve_web says:

    @EricLaw [ex-MSFT] – you're likely right on there being some quirky thing that the Telligent Community Server is doing (or that Legacy ASP.Net) is doing that is causing issues.

    What pi$$es us off is that the fact there has been an issue has been known for over 4 years and that multiple "people-in-charge" at both Microsoft and Telligent have been notified in writing, multiple times explaining in detail what the problem is but neither Microsoft nor Telligent has even responded to or acknowledged the issue.

    We realize there is a big "egg on the face" issue here but ignoring the issue and not working on a solution is certainly not the answer and it makes both companies: Microsoft and Telligent appear as being completely incompetent.

    Those are rough words to be slinging around – but after 5 years one really starts to wonder if either of these companies really gives a damn about their end users.

    Remember that IE6 was the LAST browser to NOT support Tabs.  That browser was released what… like 13 years ago almost?!  There's absolutely NO REASON WHATSOEVER that any Web based software can't handle multiple Tabs open on a site.

    Worst case scenario – Telligent has no intention of fixing the software… then Microsoft should have moved to a much better Blogging Software platform YEARS AGO!

    Best case scenario – Telligent has long since fixed this but Microsoft has been sitting on their hands rather than upgrading the system.

    Which one is it? and lets get on with fixing it ASAP! Or for crying out loud at least acknowledge that you know there is an issue and that you are working on it!  Basic fundamental PR work people!

  33. ben says:

    I think your result for tab browsing in ie is wrong!

    Tab controling in ie 10 is very hard.

  34. Quiet here says:

    Come on Microsoft.

    Has the IEteam gone to sleep.

    The article count on this blog has dropped by 50% in de last half of 2012 already en you are now in for a month with only a single article.

    Last time that happend was in 2007

  35. Miller says:

    @Quiet in here: they haven't posted because they are working on fixing the security hole with leaked mouse movements outside the browser and its taking them way longer than expected to fix.

    They are also busy trying to figure out which is worse – having a broken comment form on the blog that they are too lazy to fix or the constant complaints and ridicule that Microsoft can't host a functional blog… Even if the topic is about their own web browser! (Totally humiliating if you ask me)

    Finally they are working with the core team to try and solve the windows 8 mess. Windows RT has completely flopped (it's the only version of windows that doesn't run windows apps!), developers are not building Mehtro apps an I can't blame them that flat UI is so non UX friendly it isn't even funny. Worst of all not a single commercial has shown windows 8 doing what people need!… Running the business apps that they've been using for over a decade! Worst sales pitch ever!

    With so much effort required to patch up their products, marketing and image they haven't had time to post about penguins, snowflakes, etc.

  36. Stuart says:

    I realise that the lack of information coming from the MSIE Team is frustrating, but we will just have to be patient – the development is not in our control and we don't want something with a fundamental problem being officially released.  The MSIE Team admittedly do need to get better at communicating realistically with its users, rather than just posting 'feel good' stuff, but that's PR for you.

    I was recently in Currys (a big retail outlet here in the UK), wanting to buy a decent Windows 8 laptop, but I was advised that 64-bit Windows 8 wouldn't run 32-bit applications (which run on Windows 7), so was almost ready to walk out, when I asked again, and was told that the legacy 32-bit applications would run on it.  So, obviously Microsoft has some training issues with its re-sellers to resolve.  Needless to say, I played safe, and decided not to purchase a new laptop for now.  Like many users, I'll wait to see how Windows 8 settles-down, because I don't want to buy something which might have compatibility issues, in amongst the UI issues – I am actually OK about the dual-UI, except I would really like the Start button back in Desktop Mode (I hope Microsoft would re-introduce this in a Service Pack – it can't be that hard to re-introduce, the code's already there in Windows 7, just modify it to work in Windows 8).  Whoever decided to get rid of the Start menu should really be sacked, because Desktop Mode should replicate Windows 7, but using Windows 8 UI controls.

  37. @Stuart says:

    It is obvious that the IE team now provides much less info than they did while developing for IE8 and IE9.

    So we know that it can and should be better than this silent treatment.

  38. Evan says:

    As a long time follower of the IE Blog and the development of IE (and Windows) I have to say that we are at an all time low for morale.

    Microsoft has made the browser much better – it took over 9 years for IE to become a capable browser and yet it is still not available on Windows 7 (and Mehtro/Windows 8/RT has been such an economic failure, terrible PR and messaging issue it isn't funny).

    The IE Team has lost Microsoft's 2 best employees (Chris Wilson and Eric Lawrence) because they got fed up with Microsoft failing to let them build a better browser faster and publicly admit the failings of IE to follow standards and document the flagrant API errors!

    The reality is that there is only one person to blame… The management, specifically Dean M.

    Dean has failed developers from the beginning and continues to blatantly ignore developers whenever they have questions, bug reports, and has made ZERO EFFORT TO FIX THE BLOG COMMENT FORM!!!

    Seriously WTF!?!?!?!?!? Just how long does it take the worlds 2nd largest browser vendor to fix a 1 line bug on the most influential web browser blog that is 100% under their control?!?!!

    If I was running this blog I would have been FIRED! Years ago for incompetency!

    I also realize that the IE Team isn't responsible for windows development with Windows 8 but with the dual OS we now have twice the issues with IE that we had before.

    The flash whitelist was one of the most public failings of how not to implement user control over content and has subsequently made so many developers and users bitter.

    I can think of no other time that Microsoft has been so "Big Brother" in controlling what content users can view – It was a dirty mess and the blame falls 110% on Microsoft for ruining the user experience in Metro. Thankfully there are so many 3rd parties that have enables users to disable metro and bring back the start menu to their laptops.

    1.) fix the blog

    2.) hire a new manager for the IE Team – someone who is willing to talk to developers!

    3.) kill the blacklist

    4.) open up communication with developers

    5.) start real, open, public bug tracking – ABSOLUTELY NOT on connect

    6.) ship IE10 for Windows 7 so we can drop support for IE7/IE8 faster

    7.) inform your sales reps about the downfall of RT and the lack of app support

    8.) stop trying to sell windows 8 by showing the Mickey Mouse desktop! Real users need real programs! Not a bunch of colored squares!

    Signed – Everyone

  39. @Evan says:

    Surely, point (3) should be 'kill the flash whitelist'.  Your points are spot-on, though.

    Obviously, Microsoft has no clue as to how to time-manage their software projects, nor how to communicate with their customers!  I've been loyal to Microsoft since the days of MS-DOS, but loyalty can only be stretched so far…

    A SIDE-NOTE, AS AN EX- SOFTWARE DEVELOPER –

    Unfortunately, we can't get the fun times back, like we had with GW-BASIC/QuickBASIC/QBASIC.  Why doesn't Microsoft develop a Win-32 version of the QBASIC IDE/Compiler anymore?  I know there's QB64/FreeBASIC, but it would have been nice if Microsoft hadn't just abandoned these educational/fun programming languages over-night – once everything turned Visual, then the fun just went – and although I was a VB.NET developer for several years in Industry, I absolutely hated it (I hated having to re-learn elements of the programming language / coding practices every 3 years or so with new .NET frame-works, and the change from VB6 to VB.NET was painful for developers, but without any noticeable benefit for users).  All the fun has gone out of software development.  If Microsoft won't resurrect QB45 and create a Win-32/64 version of it, then all I can say is, 'Thank God For QB64!', so I can re-compile my QB45 programs and bring back the good memories (and shuffle-around some good old BASIC code – GOTO Forever!!! LOL).

    I really feel sorry for Microsoft developers – it must be like torture working there, working on this stuff – it's not the developers fault, it's poor Management.

  40. fad says:

    how can i use my hotmail ?

  41. Gerald says:

    @evan yup spot on (though like the above commenter said it is the whitelist that needs to go).

    I actually have a surface RT device. The size is really nice (width x height) but it is definitely too thick.

    Sadly I've given up using the metro IE browser because I constantly follow links from tech blogs, news, etc. and the flash content on sites simply fails to load – silently.  Worse yet sites often have fallback to download flash and only after getting 1/2 way through do I remember that RT can't install anything and well it would still be content blocked by Microsoft.

    This really sucks because one of the best things I can think of for a tablet is quick and way instructional videos and how to's… None of which work in the new desktop that Microsoft so desperately promotes.

    Please reconsider your terrible approach to flash blocking and let ME! The actual user decide what content I want to see! Why did you think for one second that blocking the content I wanted to see would be desired?!

    It isn't porn, it isn't hate material, racist, anti-religious, or anti-non-heterosexual so why does the content need blocking… Especially when if you force me to switch to the 1/2 real desktop I can actually run flash! (Anything I want!)

    Even that said – Microsoft has no business censoring what content I wish to see even if it is porn, etc.

  42. pmbAustin says:

    @EricLaw – "What, if any, browser add-ons do you have enabled? Do you have 3rd party AV/security software installed?"

    I have no 3rd party AV/Security software, and no browser add-ons.  It's a relatively fresh install of Windows 8 (upgraded from Windows 7, but "installed as new" instead of upgrade-in-place).

    This consistently happens … pages will start rendering weirdly (mostly with missing elements, like Facebook missing the top bar with the notifications and links to profile, security, etc).  When it gets really bad, elements in common Open/Save dialogs will fail to render (black rectangles for pictures when browsing the pictures library, for instance).  

    When this happens, I'll always notice at least one iexplorer.exe process with over 700MB of memory.  Killing it sometimes will resolve the problem, but most of the time I end up having to completely shut down internet explorer, wait for all processes to die, and then restart. Then things work fine.

    I tend to leave my IE10 Desktop open for long periods of time, through sleeps/wakes of the laptop, with generally dozens of tabs.

    I go through this every few days it seems.  At least once a week.

  43. pmbAustin says:

    @brian – "are you serious?!  I don't know anyone with a Microsoft account!"

    Then you're decidedly weird or ignorant.  You are aware that ANY email address can be a microsoft id?  All you need to do is sign up for one.  Use your gmail account if you want.  Sheesh.  Talk about manufacturing your own pain.  In WIndows 8 and beyond, a microsoft ID becomes even more relevant.  You have one associated with gamer-tags for XBox  360 play, it's used for syncing across PCs, logging into PCs, and more.  There's no reason to be in any way involved in the Microsoft eco-system and NOT have a Microsoft ID.

    It takes like 2 seconds to get one, and then you could log in here with it (you'll stay logged in across sessions), and all your whining, bitching, and kvetching about the comment form timing out would be over.  It's your choice… take 2 seconds to do the obvious thing, or keep on perpetuating your own misery.