Microsoft to Fix IE Ahead of Next Patch Tuesday

Microsoft vowed to release an out-of-cycle patch next week for Internet Explorer, its embattled browser that was shown to be so vulnerable by the recent Download.Ject problem that many security experts recommend that users stop using the product.

The company normally releases security patches the second Tuesday of each month, and the next scheduled date is Aug. 10. However, Microsoft does release patches and workaround earlier when a problem is extremely serious.

Download.Ject was a two-pronged attack that first exploits an IIS 5.0 Web server, which is then used to exploit a flaw in Internet Explorer. The IIS flaw has been patched for a long time, and only negligent IT operations could be affected. But to date there is no patch for Internet Explorer. The most fully patched Microsoft browser can be hit by the attack.

One of Microsoft's first actions was to shut down the specific server in Russia that compromised client systems pointed to with a downloaded trojan. Microsoft also released an IE workaround, also out-of-cycle, that was also not a patch.

The patch coming next week should close the vulnerability, Dean Hachamovitch, Microsoft's product unit manager for Internet Explorer, said during a monthly security Webcast for Microsoft customers on Wednesday. Customers "should have confidence, as long as they're running the latest browser [IE 6.0 SP1], with all the latest security updates, that they have the most secure and powerful browsing experience available," he said.

Hachamovitch blamed the long delay in coming up with a patch for the problem on the many versions of Internet Explorer and the many languages Microsoft supports. "There's going to be a patch for different versions of IE. IE 5.01, IE 5.5, and IE 6.0,” he said. “The release of a security update for those versions of IE is separate from the release of Windows XP [Service Pack 2] with enhanced security for IE."

"We look at all the subtle variations that they can go off and try. After we adjust an issue, we have to go through and make sure we have applications-type compatibility. Fixing a security issue and breaking things in the process isn't going to do a whole lot of good. We have to look across all the versions of Internet Explorer and Windows we support -- including IE 5.01 and 5.5, and 6.0, and across a variety of Windows platforms. When you throw in all the languages that we release the update in, we end up signing off on over 400 distinct security updates to give all our customers," Hachamovitch said.

He added that any quality problems discovered between now and next week could delay release of the patch.

About the Author

Joe McKendrick is an independent consultant and author specializing in surveys, technology research and white papers. He's a contributing writer for


  • Google Goes Live with Managed Service for Microsoft Active Directory

    Google's Managed Service for Microsoft Active Directory is now a "generally available" service, according to a Thursday Google announcement.

  • Dell Sells RSA Assets for $2 Billion

    Dell's RSA security solutions businesses, including the RSA Conference, were bought by a consortium of companies for about $2 billion, according to Tuesday announcements.

  • How To Get Started as a Windows Insider

    Microsoft's Windows Insider program is invaluable for IT pros who want to test drive new Windows 10 features before the update rolls out to their entire organization. If you haven't already signed up to be an Insider, here's how to do it.

  • Old Fashioned Mics

    Microsoft Preps for RSA Conference with Multiple Security Product Announcements

    Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.