July 2014 Internet Explorer Updates


Microsoft Security Bulletin MS14-037 – CriticalThis security update resolves one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers. For more information see the full bulletin.

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Security Update for Flash Player (2974008)

On July 8th, a security update for Adobe Flash Player in Internet Explorer 10 and 11 on supported editions of Windows 8, Windows 8.1 and Windows Server 2012 and Windows Server 2012 R2 is also available. The details of the vulnerabilities are documented in Adobe security bulletin APSB14-17. This update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash binaries contained within Internet Explorer 10 and Internet Explorer 11. For more information, see the advisory.

Most customers have automatic updating enabled and will not need to take any action because this update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

— Wilson Guo, Program Manager, Internet Explorer

Comments (31)

  1. Brian LePore says:

    Minor question: What operating system is still supported that causes IE6 to still receive critical updates? I thought IE 6 reached EOL already.

  2. NumbStill says:

    @Brian LePore -

    Windows Server 2003.

  3. Sardoc says:

    Just a thought… wouldn't it be easier to just develop IE 12 for Vista/2008, 7/2008R2 and 8.1/2012, then drop support for IE 7, 8, 9 and 10 and just support 1 version across all platforms?

  4. Zkal says:

    @Sardoc: For regular consumer that would be fine but sadly there are these pesky things as corporations that don't really want to use the latest and greatest for many reasons. As such don't think they'll ever get to point where they can just support one version.

  5. NumbStill says:

    @Zkal -

    It would be easier, but illegal, as I believe Microsoft is legally obligated to support all of these Internet Explorer version until the extended support period is over.

    (That means, the version of Internet Explorer that came with the operating system. They cannot force you to update and be over with it)

  6. NumbStill says:

    Oops, I meant @Sardoc, not @Zkal.

  7. NumbStill says:

    @Zkal (for real ;)) -

    Well, it is a matter of policy and contracts. If they change their policy to only support the latest version (or the latest and the one before it), corporations would just have to live with it and change the way they work (not depend on browsers, or web based application vendors would have to code according to the standards and stop messing around and give free updates), because I do not believe there is a browser that are supported for so long.

  8. fr says:

    It's an odd situation that we can run IE11 on Server 2008 R2, but not on Server 2012 original.  I can understand why it wasn't released for Windows 8.0 since it's a free update to 8.1, but 2012 R2 isn't free unless you have SA, we would have to pay for new full price licenses.  I hope something is done about this in the next IE version so that we can standardise on a single version.

  9. Yannick says:

    @Sardoc – As said already, corporations aren't to happy with stopping support for something that had promised to be supported for 10 years (like every IE version does, 10 year of support at least). I think however that it wouldn't hurt to reduce the support time from 10 to at least 5 to prevent that they have to many versions to support. IE6 will at least be supported up until July 2015. By that time, we already are on IE12 (I hope). So Microsoft would have 7 versions to support, not to mention payed support, that can drag support for IE6 3 years longer, counting from April this year (and by then, we're already looking forward to at least IE15, again, I hope).

  10. Yannick says:

    Anyway, any news when we will get Internet Explorer Developer Channel 2?

  11. Ronald stucker says:

    I like internet explorer 11

  12. twodots says:

    Thank to sharing interesting articles and services ……….

  13. Gabri says:

    No real issue ever gets fixed with these updates.

    - People are begging for JSON mime support, they don't care.

    - XPath will never get update (since xpath v1, 2001). W3 laid final recommendation of version 3 this year, and none of MS product gets XPath 1.0+ support! They just don't care.

    - Looks like SVG is dumped by MS. The issues introduced in IE9 for the first time are still present, but its just not worth the effort?

    All we get are these fictional security updates which browser vendors don't care to write blogs about, just put it in the readme and publicize some real meaty work they have done pertaining to the emerging web technologies!

    Chrome and Firefox are rapidly making releases, fixing zillions of features each release adding new standards and moving along the community. All we get from IE is "We are investigating this issue" and never updated again in years! Even if you submit the most technical bug report, this is the same reply rubberstamped on your face. Its like they have this automated system in place which randomly sends these replies. What an insult to the people; the developers and enthusiasts who are still bothering about IE and Microsoft.

    IE team is the most mean, ineffective and uncompetitive bunch in the whole Microsoft. Not communicating back to us like human being is your loss. Acting like some kind of a gods will only take you to the fall. What possibly can help you get what you want to be is getting at level with the community, work "with" us and earn some respect. Public perception is your problem and you are doing worse job fixing it! Those modern.ie ads mean nothing with this attitude.

    Its really hard to become/remain Microsoft fan these days and IE team is playing leading role in it.

  14. Internet Exploder says:

    arstechnica.com/…/crypto-certificates-impersonating-google-and-yahoo-pose-threat-to-windows-users

    "People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo, and possibly an unlimited number of other Internet properties."

    Internet Exploder strikes again.

  15. astontravis says:

    after updates this morning internet explorer will not respond.

  16. Joshua says:

    How long is reasonable to wait for a blocker level accessibility fix?

  17. Greg says:

    @Gabri

    These updates are never feature updates. Patch tuesday only addresses security updates. Wait for another GDR release, Developer Channel, or a Windows 9 beta.

    "Not communicating back to us like human being is your loss."

    Have you looked at http://status.modern.ie yet?

  18. Viktor Krammer [quero.at] says:

    @Gabri: Interestingly these "security" updates usually also contain a bunch of regular non-security related bug fixes. What has really been fixed is buried in the associated knowledge base article. The regular bug fixes are called General distribution release (GDR) fixes and are also part of the "security" update, see also support.microsoft.com/…/2975687

  19. Yang says:

    @Gabri, on http://status.modern.ie/ there is XPath DOM level 3 list as "In Development"! Just wait…   >^^<

  20. NumbStill says:

    @Yang -

    XPath DOM Level 3 is basically document.evaluate(…) – not XPath 3, the language itself.

  21. Gérard Talbot says:

    @Gabri

    > No real issue ever gets fixed with these updates.

    > (…)

    > – XPath will never get update (since xpath v1, 2001). W3 laid final recommendation of version 3 this year,

    > and none of MS product gets XPath 1.0+ support! They just don't care.

    Gabri, I think you are correct in part, at least with regards to XPath.

    Bug 673653: support DOM Level 3 XPath

    Status:  Closed as Fixed

    Posted by Microsoft on 11/5/2012 at 1:38 PM

    "This issue was resolved in Internet Explorer 10 released on 10/26/2012."

    connect.microsoft.com/…/support-dom-level-3-xpath

    But the thing is: the test submitted was only checking for, testing for

    document.implementation.hasFeature('xpath', '3.0')

    (By the way, this implementation.hasFeature() is rarely useful and trustworthy: it never can tell how complete and reliable, trustworthy and bug-free such implementation is.)

    Your opinion would be a lot more useful, convincing and worthy if you had tests (or links to tests or to a test suite eg w3c-test.org/…/evaluator-constructor.html ) thorougly checking individual methods and attributes of XPath 3 like XPath expressions. "work with developers" imply requirements from both sides.

    Gérard

  22. Gabri says:

    @Yang: Thanks for the tip but like @NumbStill mentioned its XPath 3.0, I was referring to http://www.w3.org/TR/xpath-30/. Microsoft doesn't have XPath support beyond v1.0 in any of their produce (.NET, IE, SharePoint, PowerShell etc.). To make things clear, here are some facts:

    - Microsoft used to have a brilliant XML team roughly from 1996-2005. They implemented a lot of standards including XPath 1 (with a very few modifications to support XPath2-like features but not ever close to XPath2) and SOAP etc. before most of them left the company.

    - In 2003 and 2004 they wrote blogs (MSDN) and magazines articles about XPath 2.0, that how useful the features are and they are working on it. And here we are in 2014 and yet we are to see its support, while other vendors are off to implement XPath 3.0 since W3 recommendation.

    It may sound crazy but these are the facts.  I miss XPath 2 support in SharePoint almost every time working with custom webparts (CQWP) as I have seen the XPath 2's powerful syntax which reduces the code by 1/4th at times.

  23. Gabri says:

    @Greg, yes I have seen that. But its the communication we are missing. Not the fancy website with silence from the other side. The precious proprietary code of IE is broken badly. Everyone is disappointed. Even the other teams at MSFT has to say this about it. Their input model, memory model and the way they manage multi-tabs since IE7 is "worse" than any other existing browser. It may hurt your feelings and believe me it hurts me too when I try to defend IE in front of 50 people and get embarrassed. Seeing tons of Connect reports like this JSON mime request connect.microsoft.com/…/text-json-mimetype and connect.microsoft.com/…/xpath-2-and-3-in-microsoft-world (its .NET team but still see how lost they are) with canned responses. This person has done a lot of tests: connect.microsoft.com/…/556277 and yet he gets, "We don't have plans to fix this issue".

    For example, take a look at this test http://www.freewebs.com/…/209-print-preview-input.html, its corresponding bug report is Connect bug report number is 675158, give it a try and you will reproduce this issue within 20 seconds. But in the bug report Microsoft give us the "unable to reproduce.." canned response.

  24. Gabri says:

    @Gérard Talbot,

    > Your opinion would be a lot more useful, convincing and worthy if you had tests

    Done ages ago, waiting for responses and the real features.

    > "work with developers" imply requirements from both sides.

    BTW if you don't believe it by now, then let me tell you that I would try to be the first guy who will contribute to Internet explorer if it ever goes open source.. If you don't work for IE and yet concern, then I am very happy to say this: Welcome to the club! We care about IE more than "they" do!

    Thank you guys. Please keep pushing may be soon enough all gets settled and we get better browser than Chrome (and yes there is a LOT of margin of improvement in Chrome where IE can shine, only if they advance preemptively!)

  25. Gabri says:

    @Viktor Krammer [quero.at], thanks I really didn't knew that this much level of detail is hidden under those KB articles. Will follow that stream! Since they don't mention which update (with the KB article link) fixes which bug, there should be a website logging all those entries so the people like us reporting bugs know in advance where to go before submitting the bug.

  26. MikeS says:

    Security update KB2962872 broke all of our file upload pages, leaving the current Internet Explorer tab in a permanent "hang" state. Using Fiddler 2 we determined the hang to be triggered by the mime type of the response from our form post (multipart/form-data). Our application returns content-type "text/xml" with an attached xsl stylesheet, and after being successfully deployed since 2006, the pages are completely broken in IE10/IE11 with this update installed. Uninstalling the update repairs the file uploads again.

    Any idea what was fixed that might be causing this damage?

  27. JKo says:

    Hi MikeS,

    we had the same issue and can't find any solution.

    Do you already have a fix?

  28. internet user says:

    To Satya Nadella

    In the ongoing layoffs, please fire the whole rotten IE team, the laziest most ignorant people at Microsoft. They are losing against other browsers by the day in every single domain of web. They are highly incompetent.

    After that, hire some folks from Mozilla, Google, Opera and IBM, who know how to refactor the turd code of IE into the best browser ever happen to mankind.

    Thank you from the entire Internet community: which means the whole world

  29. hAl says:

    Why is there no sign of IE12 yet ?

  30. Dev says:

    I'm tired of testing so many backwards compatible issues, let alone the dozen variations of compatibility modes that automatically trigger within a company.

    When can I have one 'version' that upgrades easily, efficiently, and doesn't require Windows Update?  You know, that little feature which makes Chrome is so widely used?