News

Microsoft to Fix IE Ahead of Next Patch Tuesday

Microsoft vowed to release an out-of-cycle patch next week for Internet Explorer, its embattled browser that was shown to be so vulnerable by the recent Download.Ject problem that many security experts recommend that users stop using the product.

The company normally releases security patches the second Tuesday of each month, and the next scheduled date is Aug. 10. However, Microsoft does release patches and workaround earlier when a problem is extremely serious.

Download.Ject was a two-pronged attack that first exploits an IIS 5.0 Web server, which is then used to exploit a flaw in Internet Explorer. The IIS flaw has been patched for a long time, and only negligent IT operations could be affected. But to date there is no patch for Internet Explorer. The most fully patched Microsoft browser can be hit by the attack.

One of Microsoft's first actions was to shut down the specific server in Russia that compromised client systems pointed to with a downloaded trojan. Microsoft also released an IE workaround, also out-of-cycle, that was also not a patch.

The patch coming next week should close the vulnerability, Dean Hachamovitch, Microsoft's product unit manager for Internet Explorer, said during a monthly security Webcast for Microsoft customers on Wednesday. Customers "should have confidence, as long as they're running the latest browser [IE 6.0 SP1], with all the latest security updates, that they have the most secure and powerful browsing experience available," he said.

Hachamovitch blamed the long delay in coming up with a patch for the problem on the many versions of Internet Explorer and the many languages Microsoft supports. "There's going to be a patch for different versions of IE. IE 5.01, IE 5.5, and IE 6.0,” he said. “The release of a security update for those versions of IE is separate from the release of Windows XP [Service Pack 2] with enhanced security for IE."

"We look at all the subtle variations that they can go off and try. After we adjust an issue, we have to go through and make sure we have applications-type compatibility. Fixing a security issue and breaking things in the process isn't going to do a whole lot of good. We have to look across all the versions of Internet Explorer and Windows we support -- including IE 5.01 and 5.5, and 6.0, and across a variety of Windows platforms. When you throw in all the languages that we release the update in, we end up signing off on over 400 distinct security updates to give all our customers," Hachamovitch said.

He added that any quality problems discovered between now and next week could delay release of the patch.

About the Author

Joe McKendrick is an independent consultant and author specializing in surveys, technology research and white papers. He's a contributing writer for ENTmag.com.

Featured

  • Moving an Old VM to a New Hyper-V Host

    So you want to know whether a Hyper-V virtual machine built on a legacy host will be supported by a newer server? There's a PowerShell command for that.

  • Microsoft Previews Azure Bastion Service for Private VM Access

    Microsoft on Tuesday announced a preview of the Azure Bastion service, which lets a user connect to an Azure virtual machine (VM) using a private Internet connection.

  • Microsoft Deprecating Windows To Go

    Microsoft plans to put an end to its Windows To Go product in the near future, according to a Friday support article.

  • Microsoft Releases Hyper-V Server 2019 After Long Delay

    Acknowledging that the release took "way too long," Microsoft has made Hyper-V Server 2019 available for download from the Microsoft Evaluation Center page.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.