Share via

Internet Explorer July Out-of-Band Cumulative Security Update

  • Article

Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses three privately reported vulnerabilities which could allow remote code execution. The security update addresses the vulnerability by modifying the way Internet Explorer handles objects in memory and table operations.

In addition, the update includes two defense-in-depth protections against known techniques that are able to bypass ActiveX Security Policy when ActiveX controls have been created using certain Active Template Library (ATL) methods in specific configurations.  The first defense-in-depth  is enabled by default and modifies how ATL-based controls read persisted data.  The second defense-in-depth is disabled by default and offers the ability to regulate usage of the IPersistStream* and IPersistStorage interface implementations within individual controls. 

For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all released versions of Internet Explorer except Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003 and Windows Server 2008. 

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Update 5:41pm: removing * from IPersistStorage

Comments

  • Anonymous
    July 28, 2009
    Where is the patch for Windows 7 RTM 7600.16385? Or Win 7 RTM is already patched up before it RTM and is not affected by this?

  • Anonymous
    July 28, 2009
    Internet Explorer 8 for Windows 7 RTM is unaffected by this bulletin. The IE defense-in-depth mechanism is already built into Windows 7 RTM.

  • Anonymous
    July 28, 2009
    RTM: Win7 RTM isn't released yet. Who knows what malware your stolen franken-bits contains. John: Win7 RTM isn't released. While you can speculate what is or is not in Win7 RTM, unless you cite an official source, you are not credible.

  • Anonymous
    July 28, 2009
    am I the only one that finds it funny that the primary source for IE news (the IE Blog) isn't even running in Standards Mode in IE8? - not just renders weird but it flat out denied rendering in IE8 standards mode due to forced headers that force the IE Blog to help hold back the web. Too funny.

  • Anonymous
    July 28, 2009
    This update seems to have broken the ie developer tools. I am getting constant CPU usage and both ie and the developer tools hang until manually killed.

  • Anonymous
    July 28, 2009
    In response to Mark:

  1. Windows 7 RTM is already released for PC makers and other Microsoft OEM partners that are already receiving Windows 7 RTM software images. Check this timeline: http://www.winsupersite.com/win7/rtm_availability.asp
  2. An official source about the Internet Explorer 8 for Windows 7 RTM being unaffected by this bulletin: http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx As you can see, Windows 7 (RTM) / Windows Server 2008 R2 (RTM) are listed as unaffected. But if you go to http://support.microsoft.com/kb/972260 you will see that Windows 7 RC / Windows Server 2008 R2 RC and Windows 7 IDX (former RC2) / Windows Server 2008 R2 IDX (former RC2) are affected.

  • Anonymous
    July 29, 2009
    Ben, Working for me in IE 7.

  • Anonymous
    July 29, 2009
    If killbitt protection is used in the short term to prevent activity from vunerable plugins why then are those vunerable plugins not updated in a later patch ?

  • Anonymous
    July 29, 2009
    Installed successfully in my Windows Vista SP2 Ultimate x86, including the huge hotfix for Visual Studio 2008 SP1. Everything is OK here, I always take seriously the security of my PC, that's why I have Microsoft Update turned on. ;) Thanks!

  • Anonymous
    July 29, 2009
    Ben, Does that happen on all sites you try to use the tools on or a specific site? Thanks.

  • Anonymous
    July 29, 2009
    The comment has been removed

  • Anonymous
    July 29, 2009
    Hm... IE7/8 are running in an so calle "Protected Mode" in Windows Vista/7/NT6.X if UAC is turned on. So, how does this security issue can affect me, running IE8 on Vista? I mean.. IE8 doesn't even have promissions to write outside of it's sandbox. So I don't unterstand, how this security issue can work. Shouldn't be NT6.X users with UAC turned on be safe even against such securitry holes?

  • Anonymous
    July 29, 2009
    @Stefan: Protected Mode/UAC is a defense-in-depth feature. While you're correct to note that Protected Mode can help constrain the impact of any exploitation of this vulnerability, you should absolutely ensure that you install IE updates to ensure that defense-in-depth features are not your only protection against exploit.

  • Anonymous
    July 29, 2009
    after this update, IE doesn't work anymore.  it won't load any pages.  i have 7.

  • Anonymous
    July 29, 2009
    Woot! Freedom of choice! Now Windows users will have a choice to not install IE! http://static.arstechnica.com/assets/2009/07/microsoft_browser_ballot-thumb-640xauto-7310.png

  • Anonymous
    July 29, 2009
    Keeping in mind that Windows 7 already provides the choice to not install IE... I hope you understand what you're exactly cheering about?

  • Anonymous
    July 29, 2009
    The whole ballot thing was ridiculous to begin with. Opera got what they wanted, and they are still whining about it. Completely childish. If Opera wants market share, than they should develop a browser that is actually somewhat useful.

  • Anonymous
    July 30, 2009
    @DT - the picture that @woot posted doesn't tell the whole story.  the related article indicated that Microsoft would apply this to XP also, giving users the ability to directly install Firefox or Safari instead, AND to uninstall IE. Shackles be gone.

  • Anonymous
    July 30, 2009
    Update broke my IE8 and Chrome on Vista Home Premium x-64 (AMD). Network status reports Internet connectivity, FTP works, Ping works, both browsers do not. Error 101 (net::ERR_CONNECTION_RESET) in Chrome IE cannot display the webpage error in IE8 without anything useful under "More information"

  • Anonymous
    July 30, 2009
    @Alex: When you run Windows Internet Explorer in no add-ons mode, does it still not work? You can run it (possibly) through the search function on the start menu in Vista, or by navigating to it in the start menu: Start Menu > Programs > Accessories > System Tools > Internet Explorer (No Add-ons) Have you checked the system for malware, and do you have any sort of malware "real-time" protection running?

  • Anonymous
    July 31, 2009
    The comment has been removed

  • Anonymous
    July 31, 2009
    Now I get it! You can Google on Bing: http://www.collegehumor.com/video:1915736 With a name like Bing it was too hard to tell.

  • Anonymous
    July 31, 2009
    @Stefan: UAC will forbid writes outside of the Low folder (or more precisely, it will virtualize the writes into a harmless Low folder). However, you don't want bad-guy code running on your computer, even at Low Rights.

  • Anonymous
    July 31, 2009
    @Alex: www.enhanceie.com/ie/troubleshoot.asp#firewall explains the most common source of connectivity problems after updates. Does the Diagnose Connection Problems button in IE turn up anything interesting? Netcheck (www.enhanceie.com/dl/netchecksetup.exe) can gather a log of your configuration settings and help troubleshoot connectivity issues.

  • Anonymous
    July 31, 2009
    Just (July 30, 2009) installed a patch for IE7 and sometimes see just a solid gray bar, about an inch wide, vertically overlaid on the middle of the browser, which thens freezes (or consumes 99% cpu).  Another co-worker just had it happend too.  Something screwy in the latest patch...  :(

  • Anonymous
    July 31, 2009
    @EricLaw [MSFT]: Okay, this exactly means: Nothing harmful can happen to my PC, if I decline every UAC prompt by IE. This sounds imo good :) So we can say, Vista systems are by default secure of IE security holes, due to UAC. Btw, don't worry, my computer systems are up2date ;)

  • Anonymous
    July 31, 2009
    The comment has been removed

  • Anonymous
    July 31, 2009
    The comment has been removed

  • Anonymous
    July 31, 2009
    All votes were absurd thing to begin with. What we have asked about this opera and still are whining. Totally childish. To develop a browser that actually a little more useful if Opera wants the market share.

  • Anonymous
    August 01, 2009
    @Stefan: Protected Mode helps prevent writes to your disk, but (largely for compatibility reasons) does not attempt to prevent reads.   You see a UAC prompt when attempting to launch an application or a batch file because IE knows that these are not likely to run properly at Low Integrity, and hence automatically launches the elevation UI.

  • Anonymous
    August 02, 2009
    Since the system automatically updated I am no longer able to download files nor to extract their contents!  I have fiddled with Attachment Manager but to no avail.  I have even attempted a system restore but Windows XP prevents me from selecting a restore point before 7/29. Help!!!!

  • Anonymous
    August 02, 2009
    @Eric: What exactly happens when you attempt to download files?  What version of IE are you using?

  • Anonymous
    August 02, 2009
    IE 7/8 will dead when open below page: http://www.jazan.org/vb/showthread.php?t=146570 http://www.aldair.net/forum/showthread.php?t=81162 but it works with Firfox and Google Chrome please improve IE!!

  • Anonymous
    August 03, 2009
    The comment has been removed

  • Anonymous
    August 04, 2009
    Here is an update to the post about broken IE8 and Chrome: It was traced to the issue with Trend Micro Proxy Service - it literally "freaked-out" after the upgrade. I am trying to get a more technical description out of TrendMicro - I will post details as soon as I get them. Alex.

  • Anonymous
    August 04, 2009
    IE 7/8 on Vista/Windows 2008 will dead when open below page: http://www.jazan.org/vb/showthread.php?t=146570 http://www.aldair.net/forum/showthread.php?t=81162 but it works with IE 7/8 on Windows Xp, Firfox and Google Chrome It seems that IE on Vista can not process large block of text in web page. please improve IE!!

  • Anonymous
    August 04, 2009
    Hi Harry, Please try it on Vista/Windows 2008. Our Windows 2008 IE 7 is a just an IE with OS without additional plugins. IE on XP is OK Thanks, William

  • Anonymous
    August 05, 2009
    @ Gord > the primary source for IE news (the IE Blog) isn't even running in Standards Mode in IE8? - not just renders weird but it flat out denied rendering in IE8 standards mode due to forced headers that force the IE Blog to help hold back the web. Gord, I too find this entirely incoherent, inconsequent, awkward and contradictory. And I said so in the past. An IE blog that is auto-logical and self-respects itself and all of its purposes should trigger standards compliant rendering mode in all IE browser versions. If Microsoft wants people to upgrade their IE browser version and then upgrade their webpage code (markup and CSS) accordingly, then IE blog (and all other major websites entirely under the control of Microsoft like MSDN which supposedly is there to teach how to create websites, to assist web authors) should show the example, promote and practice what they "preach". "How to upgrade a website to become web standards compliant" should be exemplified, demonstrated, illustrated by all of Microsoft websites themselves to begin with. regards, Gérard

  • Anonymous
    August 05, 2009
    Am I the only person who thinks that the IE team has far better things to be doing with their time? Would you rather have a shiny super-standardsy-IEBlog which is (on the surface) indistinguishable from what they've got today, or would your rather have improved standards-support, performance, reliability, etc, etc, in the next version of IE? I know what my vote is. I know how most of the world would vote. YOU are trying to hold back the web. Please don't distract the IE Team from working on things that actually matter.

  • Anonymous
    August 05, 2009
    Thanks Markus for bringing up the subject of improved-standards support. Today, the universal plea of web designers is that IE further adhere to web standards. The greatest example of waste today is the amount of hours spent by haggard web designers retroactively tweaking their sites in order for them to properly display in IE. The fact that IE8 cannot pass the Acid3 test is a prime example of its failure as a standards-compliant browser.

  • Anonymous
    August 05, 2009
    Alex, don't confuse ACID3 with what actual web developers want. You can pass ACID3 with flying colors and still have miserable support for standards. The IE team should focus on the standards that matter to developers and the evolution of the web, and not get sidetracked by silly stunts like the ACID3 test.

  • Anonymous
    August 05, 2009
    I tested IE8 from the beta to the final release. It is a great product, but I am having problems running Facebook, Twitter, Gmail, and other sites. I have reset IE to its defaults and it still doesn't load pages correctly. Right now I am running Google Chrome because IE8 isn't loading pages correctly. I noticed the problem two weeks ago. Is anyone else having a problem or do you guys have any suggestions?

  • Anonymous
    August 05, 2009
    Are there any plans to update IE so it can handle HTML5?

  • Anonymous
    August 05, 2009
    @Aska: IE8 supports several important HTML5 features (postMessage, DOMStorage, Online/Offline events, onhashchanged eventing). While still under construction, many web developers consider HTML5 a very important specification for future IE versions to support even further.

  • Anonymous
    August 05, 2009
    @dlh2009: What problems are you having specifically? What sorts of problems do you see? Do you see any error messages?

  • Anonymous
    August 05, 2009
    @EricLaw I thought DOM storage was no longer part of the HTML 5 spec but is now a seperate spec.

  • Anonymous
    August 06, 2009
    I agree with the commenters above.  The IE Blog should be running in Standards mode to back up the move in IE8 towards standards. Implementing this can take some time so we'll give you some time however: In the mean time please post an article on the IE Blog talking about how to implement a site in IE8 Standards mode (with tips on the "top 5" things that may need tweaking to work in IE8 Standards mode). Once you have the post up any future blog posts that talk about setting up a standards mode site can reference this post. Best of all commenters can add their own tips on what breaks in IE8 standards mode and how to fix things that they've encountered (e.g. the infamous link and image alignment issues) tx

  • Anonymous
    August 06, 2009
    @hAl: As a security PM, I don't track the frequent changes to the HTML5 spec; we have other folks who do. At the time IE implemented it, DOMStorage was in the HTML5 spec. @Travis: Two things: first, the IE team doesn't actually develop the IEBlog site; we develop IE. There's some other group/vendor elsewhere that works on blog software. Second, we've done several such posts already. http://blogs.msdn.com/ie/archive/2009/03/12/site-compatibility-and-ie8.aspx is one overview which explains what you need to fix to get from a "requires Compatibility View" site to a Standards Mode site.

  • Anonymous
    August 06, 2009
    @Markus so give us an example of a browser that passes the ACID3 test and does poorly on real world standards compliance? @EricLaw Developers have been clamoring for SVG Tiny, and you guys still refuse to implement that.  Or even things as basic as standard DOM event handling? Version 8 has added things like color coded tabs to win over the masses, but done nothing to improve life for developers.  One would think that something as simple as ensuring IE Blog is standards compliant would go a long way towards proving how great IE's compliance with accepted standards is.  Right? (or maybe IE is just more broken than anyone at MSFT is willing to admit).

  • Anonymous
    August 06, 2009
    @Eric passing the buck is a cheap shot.  As far as the public is concerned there is one Microsoft releasing Internet Explorer.  A Microsoft authored blog about IE that's hacked up to make it work with IE makes all of the IE team look bad.

  • Anonymous
    August 06, 2009
    @EricLaw: The only error message that I see is the one in the left hand bottom corner that says Error in the IE status bar when trying to use the chat feature or the applications button on Facebook. It does the same thing on Twitter or it doesn't load Twitter at all.

  • Anonymous
    August 06, 2009
    @EricLaw: I also for got about my Gmail problem. Gmail doesn't load correctly in IE8, even when I try to use the compatibility button.

  • Anonymous
    August 06, 2009
    Alex, you're obviously either a troll, or a competitor who's rooting against IE. Go away. Let the IE team work on web browsers and leave the stupid blog software to whatever people work on that. dlh2009, I use all of these sites with IE8 every day and have since the beta. Sounds like there's something wrong on your computer. You have the final version of IE8 and not some beta, right?

  • Anonymous
    August 06, 2009
    Alex-- Further, your baseless and incendiary claim that the blog site is somehow "hacked up" is just silly. If you use the developer tools to force the site to run in Standards mode, you'll see that it looks pretty much exactly the same.

  • Anonymous
    August 06, 2009
    @Ian That is correct. I have the final release version. It just started a few weeks ago. Does Facebook use java script and is that the same as using Sun's Java Software?

  • Anonymous
    August 06, 2009
    @Ian I am not sure if Java and Java script are the same or go hand in hand but I unistalled Java and reinstalled it and it seems to be working fine. Thanks for your help guys! Keep up the good work IE8 team, great product!

  • Anonymous
    August 06, 2009
    Hi ! about IE8 system memory use. test: sestem mem size 512 or 1000. Lim n windows IE8  -> 20...40 unit free  system XP mem  size -> zero.   system near halted. if  close  all  20...40 windows IE8   system XP up free system mem on 40-70 MB and stay stabil later. pls, chek IE8 mem use mechenism. snks Ice

  • Anonymous
    August 06, 2009
    The comment has been removed

  • Anonymous
    August 06, 2009
    The comment has been removed

  • Anonymous
    August 07, 2009
    I upgraded the Sun java runtime to the 6.0.15 version. Just to see if it made a difference I enabled the "Sun Plug-In 2 SVV helper" addon. This still turned my tabstarts in a slow pile of muddle adding at least a second to the "new tab" time. I thought Sun was suppossed to release a new IE8 friendly version by now. Adding a second to new tab starts for such a plugin is just ridiculous.

  • Anonymous
    August 08, 2009
    I find it funny that you tell us to the windows update web site when it won't even work for users of the 64-bit version of the browser.

  • Anonymous
    August 09, 2009
    Sal: So? Use the 32 bit version. Or download the patches yourself manually if you're into that sort of thing. Or, turn on Automatic Updates like the smart people.

  • Anonymous
    August 09, 2009
    same here.. working on IE 7. thankz...