IE Cumulative Security Update Now Available

Today we released a Cumulative Security Update for Internet Explorer.  We’ve released this Cumulative Security Update earlier than originally scheduled based on malicious activities reported on the web. The update is available via Windows Update and Microsoft Update. Most users configure their machines to update automatically; you can find more information on that here.

This update actually includes 236 separate packages for all the different languages and versions of Windows and IE that customers run and Microsoft supports worldwide. We release these packages simultaneously for all supported products and languages as part of this update. The complete matrix of browsers, operating systems, and languages is available in the security bulletin. At a high level, these packages cover:

• Seven operating system versions: Windows 2000, Windows XP, Windows Server 2003, 2008, and 2008 R2, Windows Vista and Windows 7. Customers run 32-bit, 64-bit, as well as Itanium versions of some of these operating systems, as well as a variety of different service packs.
• Four different versions of IE: 5.01, 6, 7, and 8.
• All supported languages. Older versions of Windows require separate language-specific packages, typically between 18 and 25. Windows Vista and later operating systems have a single language-neutral binary to update IE.

We test each security fix thoroughly with different variants of the security issue. We also test the entire package extensively for compatibility and reliability, as well as any setup, deployment, and manageability issues. Also, security updates are cumulative and contain all previously released updates for each version of Internet Explorer, to make securing any system (one updated a month ago or never updated at all) easy.

This update addresses several vulnerabilities including the one described here. Other blog posts describe specifics. Some of these vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.  Note that IE8 users on Windows 7 have extensive defense in depth protections with DEP, ASLR, and protected mode that make remote code execution from a malicious site extremely difficult.  Microsoft therefore strongly recommends customers upgrade to IE8 to benefit from these extensive defense in depth protections.

For detailed information on the contents of this update, please see the following documentation:

• Microsoft Security Bulletin MS10-002
• Microsoft Knowledge Base Article 978207

We encourage everyone to set their operating system to automatically update with the latest security updates for all their software.  You can find more information here.

 

Dean Hachamovitch

IE General Manager

Comments

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  The comment has been removed

• Anonymous
  January 01, 2003
  Glad to apply this as this update addressed this issue: http://www.microsoft.com/technet/security/advisory/979352.mspx

• Anonymous
  January 01, 2003
  It seems like this release has a lot of issues so far.  They should do more testing before letting it go public.

• Anonymous
  January 01, 2003
  I did not have any issues with this security update.

• Anonymous
  January 01, 2003
  Just wanted to highlight a new IP lookup service: http://ipboo.com   I use it alot myself to check my own IP. Totally recommend!

• Anonymous
  January 01, 2003
  my internet exploxer stop working sometimes in window7. Plesae download patch or  fix

• Anonymous
  January 01, 2003
  my ie stops sometime using window7

• Anonymous
  January 01, 2003
  Thanks so much!!!!

• Anonymous
  January 01, 2003
  Thanks so much!!!!

• Anonymous
  January 01, 2003
  IE8 really feel faster after installing this cumulative update?

• Anonymous
  January 21, 2010
  I just upgraded to Firefox 3.6 instead.  Works much better.

• Anonymous
  January 21, 2010
  How many configurations does something like this actually get tested on? What is the process to test on so many systems?

• Anonymous
  January 21, 2010
  The comment has been removed

• Anonymous
  January 21, 2010
  Arieta: well, I just upgraded to GNU/Linux

• Anonymous
  January 21, 2010
  obj-juan: and the first time there's an alert in a gnu/linux program you use, will you swap to osx? and then to BSD? and then os/2?

• Anonymous
  January 21, 2010
  Is it just me, or does IE8 really feel faster after installing this cumulative update?

• Anonymous
  January 21, 2010
  @obj-juan, what are you doing on IE blog then?

• Anonymous
  January 21, 2010
  In related news: "Microsoft Learned of IE Zero-Day Flaw Last September" http://www.wired.com/threatlevel/2010/01/microsoft-zero-day-flaw

• Anonymous
  January 21, 2010
  @Arieta IE is a normal application, just like Firefox, the only difference is that IE is preinstalled.

• Anonymous
  January 21, 2010
  @Luc I wouldn't call anything that prompts me to restart the computer after updating it a "normal application". Didn't most normal applications stop doing that after Windows 98/Me?

• Anonymous
  January 21, 2010
  I installed it this morning and it caused a BSD on my 64-bit Vista system. I got it going again, but this isn't helpful.

• Anonymous
  January 21, 2010
  @Steve Jones: It caused a BSD?! Man, I hate when patches cause free operating systems to show up. :P On a more serious note, have you checked your dump/minidump to see what the cause was?

• Anonymous
  January 22, 2010
  Has anyone from MS ever been fired b/c of these security problems?  If my track record was as bad, I'd have been shown the door a long time ago.  Is there accountability?

• Anonymous
  January 22, 2010
  After restarting our server2003R2 machines, our static IP settings were magically changed to obtain an IP using DHCP. People could not access our web site. Why would this update change our IP settings?  

• Anonymous
  January 22, 2010
  I've recently installed this cumulative update in my virtual machines with Windows 2000 SP4, Windows XP SP3 and Windows Server 2003 SP2 R2 and it worked fine! Also in my laptops with Windows Vista SP2 and Windows 7 - no problems at all ;) I don't care about restarting the computer, it's fine for me ;) I hope this 2010 we can see IE9 with a much better standards' support :D Best regards from Peru!

• Anonymous
  January 22, 2010
  <<Why would this update change our IP settings?  >> It wouldn't. You did something else that just happened to take effect because of the reboot.

• Anonymous
  January 22, 2010
  I've updated several machines at home and at work with a mix of OS/browser combinations, both physical and VM, 32 bit and 64 bit, and I didn't have a single problem on any of them.

• Anonymous
  January 22, 2010
  Static IPs changed to DHCP.  Any suggestion other than we must have changed something? I know for a fact that nothing changed on one of the two machines just download and reboot. The other is our production web server and I'm don't think anything was changed on that machine. Yet they both were reset to get IP using DHCP after reboot.

• Anonymous
  January 22, 2010
  I just installed it, and it ate my cat... it got better, but disconcerting nonetheless.

• Anonymous
  January 22, 2010
  @Dan, Maybe some network driver issues with the update, or something. The possibilities are endless due to the infinite possible combinations of hardware and software on a system. Maybe the update just don't like your network driver + SCSI driver combination, or your network driver + graphics driver combination, or network driver + something else combination, basically, it's just bad luck (or maybe not so bad since it's easily fixable) This kind of things can happen all the time with the wide variety of software and hardware available, something can run fine on a million systems, and it may just crash your system.

• Anonymous
  January 23, 2010
  KB 978207 caused every application that uses IE7 including IE to crash. Almost no software installed on this machine. Rebooted multiple times, disabled all add-ins - no change. Uninstalled, rebooted, reinstalled, rebooted fine Thanks for the awesome Q/A

• Anonymous
  January 23, 2010
  @MDR: Collecting more information about this problem will enable further investigation into what is wrong with your particular system. Which version of Windows are you using? What other applications were broken? http://blogs.msdn.com/ieinternals/archive/2009/10/12/Collecting-Internet-Explorer-Crash-Dumps.aspx explains how to get the "crash bucket" information and/or an actual dump of the problem. Did you contact Product Support?  (http://support.microsoft.com)

• Anonymous
  January 23, 2010
  Update crashes Word and Excel 2007 as well as IE 8.  Rebooted several times.  Only thing that fixed the problem was using an earlier restore point.  Using Windows 7.

• Anonymous
  January 23, 2010
  I had the same problem - patch KB978207 installed and after the reboot IE8 crashed every time I started it, as dis Outlook 2007 when I tried to read an email.  Only thing that cured it was restoring to before th parch.  I am running Windows 7 too.

• Anonymous
  January 24, 2010
  system nightmare.  windows 7, 64bit.  browser slow, outlook dead.  rebooted five times, will restore.  

• Anonymous
  January 24, 2010
  I have installed this update from Windows Update on Windows 7, as well as on Windows XP at least 5 times now, on different computers, and haven't had a crash so far. And all computers had a fair amount of software installed on them before the update process started. To anyone experiencing problems, I have to ask - do you have any kind of "registry cleaner" programs or any kind of "clean up" and "tune up" tools? Do you have FlashGet or another kind of a download manager? Because those are the two primary causes I've found to dramatically affect IE, and those are the only kind of things I don't install anymore, exactly for that reason (Note that I do install a torrent client though...).

• Anonymous
  January 24, 2010
  Does this update includes some improvements in SVG support ?

• Anonymous
  January 24, 2010
  After installing the patch, the layout of my web-application and several other sites are not displayed correctly anymore.

• Anonymous
  January 24, 2010
  @carlos: sure! It makes sense that a mere security update would slip in new major features that aren't security related, right? And without letting you know about it, too.

• Anonymous
  January 24, 2010
  Like many people here, windows update installed the KB978207 on to my Windows 7 64bit installation. IE8 crashed out after 4 tabs were opened,Firefox also went the same way after multiple tabs were open. Windows Explorer failed to show my directories - non responding, and generally windows came to a complete stop. I had to reboot multiple time. In the end uninstalled the patch, system is back to normal. Is it safe to say that as long as you have IE8, you should be fine. Is there really a need to install KB978207?

• Anonymous
  January 24, 2010
  I think the first list item needs to be corrected. It does not work with IE8...please instead use with IE8... http://www.microsoft.com/downloads/details.aspx?familyid=e59c3964-672d-4511-bb3e-2d5e1db91038&displaylang=en#AdditionalInfo

• Anonymous
  January 24, 2010
  @John: I believe you're simply misreading the page. It says, basically: "Do not try to use the downloadable Developer Toolbar with IE8; instead simply press F12 to get the built-in developer tools, which obsolete the old downloadable toolbar".

• Anonymous
  January 25, 2010
  I have installed this update on hundreds of machines so far (mostly via WSUS). These include Windows XP and 7. Bare metal installations and a lot of Virtual Machines (VDI: VMware View 4). I also installed it on a lot of Terminal Servers, RDS Servers and a couple of Citrix XenApp farms. I've seen no problems with this update, great quality! That said, I didn't see any problems with updates since Windows NT 4, Service Pack 6 (not 6a).

• Anonymous
  January 25, 2010
  Applied the update along with others to my Vista Home Premium SP2 and the system was unable to start windows.  Works fine once restored to pre-update restore point.  Did the update again with only the cumulative update.  Same result.  Conclusion, the update is the culprit.  Guess I'll have to remain vulnerable.

• Anonymous
  January 26, 2010
  @ted I also use de Firefox, but IE is my favorit Browser. The Firefox have also Bugs.

• Anonymous
  January 26, 2010
  Firefox has bug as any software. But critical/security bugs in Firefox are corrected much faster than Microsoft do. It's the only way its hurting : it seems MS was aware since last september? it seems the commercial pressure was strong enough for this release, not a security pressure.

• Anonymous
  January 26, 2010
  @GeoVah [quote]But critical/security bugs in Firefox are corrected much faster than Microsoft do[/quote] When looking at the patches by Mozilla for Firefox we regularly see patches for critial leaks that are more than a year old. Firefox patches for critical vunerabilities are not particulalry fast. I do not see any justification for your claims.

• Anonymous
  January 26, 2010
  The IE Team needs to drop their willful ignorance of IE's bad week and actually make a blog post repenting.

• Anonymous
  January 27, 2010
  Nice to see you again, Fiery! The new trolls just don't have as much personality.

• Anonymous
  January 27, 2010
  @hAl http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf Page 36

• Anonymous
  January 27, 2010
  @Geovah Read page 37 again and find that Mozilla has less exposure days because not because their browser is less vunerable (it actually has double or triple times the numbers of patches) but because they have better responisble disclosure. That just shows that security researchers have a tendency to report IE vunerabilities more often publicly. However those figures show that Firefox actually has tons of vunerabilites in 2007 and 2008 (103+83) compared to IE (28+31).

• Anonymous
  January 28, 2010
  I installed the IE8 Update and now we are having issues on our Intranet with cookies.  I am on Windows 7 and get the following error "Object doesn't support this property or method: 'Cookies'".  Anyone else having this issue?

• Anonymous
  January 29, 2010
  Finally discovered the software clash that stops IE8, Word and Outlook 2007 working at all after patch KB978207.  It is PGP encryption 9.8 - even without the services running.  Once this is uninstalled all MS products work fine.

• Anonymous
  January 30, 2010
  Faulting application name: iexplore.exe, version: 8.0.7600.16385, time stamp: 0x4a5bc69e Faulting module name: urlmon.dll, version: 8.0.7600.16490, time stamp: 0x4b2c9600 Exception code: 0xc0000005 Fault offset: 0x000a9cae Faulting process id: 0xaec Faulting application start time: 0x01caa22b43480956 Faulting application path: C:Program FilesInternet Exploreriexplore.exe Faulting module path: C:Windowssystem32urlmon.dll Report Id: 53d14c8a-0e24-11df-aaae-8000600fe800 My IE always crash, this is the event log. any ideas?

• Anonymous
  February 01, 2010
  Be Aware! After installing this update I was getting random BSOD crashes that would happen within an hour of logging on to the computer. I've definitely narrowed it down to this update. Install the update and get a BSOD within an hour. Uninstall the update and never get a BSOD. Ran for two days without the update and no BSOD, tried installig it again and wham ... BSOD within the hour! Haven't narrowed down exactly what is happening yet. But I've had to hide this update to prevent the BSOD issues. Running Windows 7 Enterprise x64 with IE8

• Anonymous
  February 01, 2010
  The comment has been removed

• Anonymous
  February 01, 2010
  The comment has been removed

• Anonymous
  February 01, 2010
  I wonder why I got no autoupdate for this in Windows 7. I didn't notice any autoupdate nor is there any in the Update History. I thought it may come at the next patch day. But now I will install it manually.

• Anonymous
  February 02, 2010
  @EricaLaw: It works, thanks a lot.