Condividi tramite

IE December Out-of-Band release

  • Articolo

Internet Explorer is releasing an out-of-band update available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses one remote code execution vulnerability. The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.  For detailed information on the contents of this update, please see the following documentation:

This security update is rated Critical for all released versions of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments

  • Anonymous
    December 17, 2008
    Where is the patch for IE8 Beta 2 and IE8 Partner Build 18343 Pre-RC1? I've search through the Security Bulletin article and the KB article and not even 1 link to this supposedly available  patch for IE8.

  • Anonymous
    December 17, 2008
    @Patch: I was able to download the B2 patch (Security Update for Internet Explorer 8 Beta 2 for Windows Vista (KB960714))from Windows Update one hour ago (the patch was released 2 hours ago, as far as I'm aware). I can't say for any Pre-RC versions.

  • Anonymous
    December 17, 2008
    Could some brave soul let Mike Reavey know that - at the last count - there was still more than a single [MS] security partner.  Or maybe I got that wrong?  "over 24 different security partner’s products".  

  • Anonymous
    December 17, 2008
    @Patch For IE8 Beta 2, the Downloads are still going live right now.  They will be avaiable today. For those participating in the IE8 Technical Beta Program, a new Partner build is available that addresses this issue.  

  • Anonymous
    December 17, 2008
    @Martin Harvey Mike is correcting the post now.

  • Anonymous
    December 17, 2008
    Terry - that was quick and impressive.  These comments ARE acted on!  [Hope the messenger wasn't shot - I know what you NRA-types are like on your side of the big pond :)   ]

  • Anonymous
    December 17, 2008
    does this also apply to IE Mobile on Windows Mobile 6.1?

  • Anonymous
    December 17, 2008
    @alamfour You should contact your mobile phone provider to see if there is an update available.  

  • Anonymous
    December 17, 2008
    What is the build number for the fixed Partner Build release thats no longer vulnerable?

  • Anonymous
    December 17, 2008
    When will it be released through WSUS?

  • Anonymous
    December 17, 2008
    MS08-078 for IE8 Beta 2 is also available via the Microsoft Update Catalog: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=kb960714

  • Anonymous
    December 17, 2008
    Should IE8b2 patch be up for Vista 64 bit with SP2 beta? Or is SP2 beta+IE8b2 not affected?

  • Anonymous
    December 17, 2008
    IE Beta 2 has a much faster starting time on my machine than it used to. Was this just a security update or did something else additionally get changed? It was literally taking longer than Firefox 3 (with 15 add-ons installed). As it would sit there for up to 10 seconds before the UI became responsive.

  • Anonymous
    December 17, 2008
    The comment has been removed

  • Anonymous
    December 17, 2008
    I applied the update and when I tried to do ANYTHING on the internet the window just froze and nothing loaded.  I had to go through system restore to get the internet back.  What Gives!!

  • Anonymous
    December 17, 2008
    No update for IE8 Beta 2 in Vista SP2 Beta?

  • Anonymous
    December 17, 2008
    I agree with Jan Dzikowski... Terry - where is the patch for IE8b2 on Vista SP2 machines????? The IE8b2 for Vista patch says it "does not apply"

  • Anonymous
    December 17, 2008
    Dear IE team, my feeds still not showing its favicon even I have te latest build of IE8 Partner Build! image:http://img67.imageshack.us/img67/9828/46993780fu5.jpg

  • Anonymous
    December 17, 2008
    What of us old school system users before the 2000/XP/Vista Generation? I use IExplorer 6 Sp1 and find no applicable update to protect my system from the exploit. My machine is already compromised and I'm finding no resources to correct the intruders ability to control my pc other than my Nortons web security firewall, with no gaurenteed certainty.

  • Anonymous
    December 17, 2008
    The new IE8 Partner build is 8.0.6001.18344. It contains the fix to this critical security bug. The previous build 8.0.6001.18343 is vulnerable. Pre 2000 OS, you're out of luck, MS stopped supporting and releasing updates for Win9x 2 years ago. Switch to another browser.

  • Anonymous
    December 17, 2008
    The comment has been removed

  • Anonymous
    December 17, 2008
    @ABE: I had something similar recently. It usually means something else trashed a system file (in my case, it appeared to be a Java update). Typically they shipped a Windows DLL with their install package which isn't meant to be redistributed, and it was the wrong version. This may not have been incompatible with earlier versions of IE, but now is: it simply isn't possible to test with all combinations of libraries. Best approach - if you can get it to do it - is to run "sfc /scannow" to check and repair system files, assuming you're on Windows XP or earlier. Windows Vista has a different approach to protecting system files that shouldn't even allow it to happen, but sadly idiots are inventive and I've seen them asking how to do it on developer forums. If even sfc won't start - possible - then you'll probably need to do a repair install of Windows. Remember that all Microsoft security updates have FREE SUPPORT. Go to support.microsoft.com and ask for it.

  • Anonymous
    December 17, 2008
    IE8 RC1 - Open in new tab - not work - Ony Connecting ... and freez . Owa 2003 ( Exchange 2003 SP2 with all updates ) - not work Tested on Vista SP1 / SP2 beta and IE8 RC1

  • Anonymous
    December 18, 2008
    "Open in new tab" is, as Szymon said, not working anymore in the very last build 18344 (it was working on 18343). Either Ctrl + click or right click > open in new tab, nothing happens after a new tab is created, it remains blank. It makes this IE8 build almost unusable :-/

  • Anonymous
    December 18, 2008
    @18344 - I run ME. Likewise, MS stopped support recent as August. Can't run FF. Recommendations on alternative Browser?

  • Anonymous
    December 18, 2008
    Pre2kOS, Windows ME isn't safe... period.  There's nothing that you can install that will make it safe, short of a newer operating system which was designed with security in mind.  Sorry for the bad news, but anyone that tells you otherwise is a fool or trying to sell something.

  • Anonymous
    December 18, 2008
    @Dave - Is there a way to transfer my Emachine XP OS to a non Emachine? I couldn't get the Emachine to set up a second HDD I installed in it.

  • Anonymous
    December 18, 2008
    IE has updated KB 960714 to include the supported patches for Microsoft Beta Products with direct links to the packages.  

  • Anonymous
    December 18, 2008
    Sorry to possibly ask a question already asked...but what about the IE 8 RC1 that was just released about a week ago? I ran Windows Updates on my Vista lastnight and it picked up the patch.  So, am I OK now? Or am I reading there is a new IE8 RC1 out already from last week again? I hope I'm making sense. Regards, Bob

  • Anonymous
    December 18, 2008
    @Jan Dzikowski @Glen Security is the priority here.  If you are running Vista SP2 Beta with IE 8 Beta 2,  I suggest you uninstall one of the two beta products to get a patch that will make you secure.  Vista SP2 Beta was not a released product when IE 8 Beta 2 shipped.  Technical issues prevented us from building a patch for this particular scenario.  

  • Anonymous
    December 18, 2008
    Ok, so I updated my XP SP3 - IE8 PR1 build to IE8 PR1-Build 8.0.6001.18344 today (with the whole uninstall, reboot drama) Now, I load up IE8... and discover this bug (I'm not sure if it existed in the previous IE8 build) 1.) Open a brand new tab. 2.) Click on a Bookmark (Favorite) on your Links toolbar, That is IN a folder, that opens a page with a login form (e.g. Gmail), that AUTOMATICALLY places focus in the first field (e.g. username) Opening the page ANY other way works, but in IE8 if you open the page from a nested link in your bookmarks IE gives the LOCATION Bar focus() AND select() and the form on the page gets NO focus. Essentially this makes bookmarks a step backward in usability. :-( thanks

  • Anonymous
    December 18, 2008
    Fixing typo. @Bob: Please keep in mind: IE8's RC build will be released in the first quarter of next year.  I suspect that you're referring to the "IE Partner Build" which you downloaded from Connect as a member of the tech beta.  This build is not patched by WindowsUpdate. The Partner build should be uninstalled (v18343) and the new partner build (v18344) should be installed from Connect. @Ant: We're not able to reproduce the issue you've reported.  Does this problem reproduce in no-addons mode?  www.enhanceie.com/ie/troubleshoot.asp#crash

  • Anonymous
    December 18, 2008
    Eric, Thank you for the quick reply. Yes, the Partner Bulid is what I refer too. I will get the new IE Partner Build V18344. Odd then why did Windows Updates on Vista grab the IE patch yesterday for me with me runningn the v18343 Partner Build? Regards, Bob

  • Anonymous
    December 18, 2008
    > IE has updated KB 960714 to include the supported patches for Microsoft Beta Products with direct links to the packages.   I see there's package for Windows 7 but not Vista x64 >>SP2 beta<< and the non-beta one doesn't install.

  • Anonymous
    December 18, 2008
    @drd: http://support.microsoft.com/kb/960714 has links to the update for IE7 on Windows Vista SP2 Beta.   For IE8 on Windows Vista SP2 beta, please refer to Terry McCoy's comment above.

  • Anonymous
    December 18, 2008
    Question: Why within IE6 and IE7 (haven't tried IE8 because I don't want to create another Virtual Image for it) if you are submitting a form with 1 input for text and 1 input for a submit button? It will only post the 1 input value and not the submit value. Yet, if you have 2 visible input text and 1 input for submit. You will post both input text boxes and the submit. Firefox and all the other browsers will POST the submit value when there is only 1 input text within the form. Thanks for making me waste an hour to find that out.

  • Anonymous
    December 18, 2008
    Oh, I forgot to add that this is only when you hit the enter key from the input text and not by mouse clicking the submit.

  • Anonymous
    December 18, 2008
    @Terry McCoy There is more than one Glen here. I also asked a question :P (and I didn't have any add-ons installed for IE - so I don't think a bad add-on was to blame). @Mikey Oh the joys of writing HTML for IE. The character set sent to the client can affect font behavior for INPUT controls. MSIE 8 will support defineGetter/defineSetter, but only for DOM elements (which is the exact OPPOSITE of what Firefox did with 2.0). Gotta love the ugly stretched buttons, and stupid pop-up behavior (open document in new window, IE blocks download, and closes window without showing the bar at the top - which can be worked around but is still annoying that I had to waste time working around it) too. At least it doesn't have the bizarre issue Firefox 3 seems to have with it's pop-up blocker where it all the sudden breaks and starts blocking ALL pop-ups when it's OFF (only fix seems to be restarting the browser).

  • Anonymous
    December 19, 2008
    Although not strictly related to the post I wondered, when new VPC images for IE6/7/8 will be available. All three of them expire on 25th of December.

  • Anonymous
    December 19, 2008
    @Glen Fingerholz: re: "bizarre issue Firefox 3 seems to have" - must be quite bizarre because this is the first time I've heard about it and Firefox 3 has been out for like 6 months! As for the stretched buttons in IE, man am I ever glad they fixed that - it looked/looks horrible!

  • Anonymous
    December 19, 2008
    Hi this is the first time i am writing on a blog. I have vista IE and it is keep stop working. I have tried everything but noting seem to work. Can anyone give me some advice to what to do? Thank you Mets

  • Anonymous
    December 19, 2008
    @Mets: Buggy addons are the number one source of crashes.  Please see www.enhanceie.com/ie/troubleshoot.asp#crash for info on troubleshooting.

  • Anonymous
    December 19, 2008
    I have a little problem with the Beta 2 connect build (18343)... When I use middle click for the sensitive scrolling, if I push the mouse too far, it will automatically jump to the beginning/end of a page. The previous beta 2 (and all other IE versions) just scrolled really really fast, which is what I would prefer. The margin for the auto-jump-to-top/bottom is also very low, so I often do it accidentally, which can be confusing when reading a longer page. Is this a bug, or intentional? If it's intentional, is there a way to revert to the older way it was handled?

  • Anonymous
    December 20, 2008
    Thanks Terry and Eric.  Greatly appreciate your response in regards to IE8b2 on Vista SP2. It would have been good if the KB article actually stated this outright ;-) Cheers, Glen

  • Anonymous
    December 20, 2008
    I love the new IE 8, but one feature I find missing and love in other browsers is multiple rows for tabs. The new commands for the tabs are a step in the right direction and it is much faster than Beta 1

  • Anonymous
    December 21, 2008
    The IE8b2 for Vista patch says it "does not apply"

  • Anonymous
    December 21, 2008
    It was the most compatible thing Microsoft has done for IE. It worked in IE 5,6,7 and 8!

  • Anonymous
    December 21, 2008
    I guess the Washington snow will probably hinder Microsoft employees somewhat ?

  • Anonymous
    December 21, 2008
    nothing changed really. i ask myself when it will have the ability to handle plugins like FF

  • Anonymous
    December 22, 2008
    I'm spamming: same was posted in the previous "CSS corner" IE blog post. Still, I've spell-checked and expanded this one. Having downloaded the Partners Build (I'm not part of the program), I'm happy - and not. Happy:

  • the "onDOMmodified" scrolling bug (all scrollings are reset to 0 on DOM modification, including CSS changes on pseudo-elements like :hover) is gone. Yay!
  • the problem of disappearing generated content when there's a lot of it on a page seems gone. Yay²!
  • negative margins and text indents on generated content (that one was mine, better explained then reported by G. Talbot) not applied bug is gone. Yay cubed! BUT there is now a new problem that these bugs used to hide:
  • negative bottom margins are not properly applied on generated content when parent content is resized without being followed by a screen repaint Updated, simplified, one-file-does-all (using embedded base64 encoded image) test cases: http://moneyshop.perso.cegetel.net/moneyshop/testcases.html Please note: IE 8 is incredibly slow compared with other browsers that are installed in this virtual machine... Could it be caused by a bad relationship with the generic VESA driver?

  • Anonymous
    December 22, 2008
    ...to add to my above comment, it seems that margins are wrongly removed/packed/collapsed in some cases. Try the third test case and watch the last paragraph's placement: it jumps around when you refresh the screen.

  • Anonymous
    December 22, 2008
    @Alan Adı For IE plugins go to http://www.ieaddons.com/

  • Anonymous
    December 22, 2008
    @hAl: Actually, some are heroically driving to work through the snows, while others are able to work remotely through our VPN/RAS network -- we use the Internet for more than just browsing. :-)

  • Anonymous
    December 22, 2008
    @Eric I did not think the IE team trusted the internet well enough to use it for accessing their work ;-)

  • Anonymous
    December 22, 2008
    @EricLaw [MSFT] Hi Eric, as my users are coming from all the wonderful browsers such as IE6, IE7, and IE8 (soon). I was wondering if your team will be able to compile a list of "features" that have been switched from IE7 to the new IE8 beta in a easy to search list. It will allow me and others to know what behaviors have been changed between IE7 and IE8 instead of having to transverse the blog (which doesn't explain all the changes. e.g. Javascript, CSS, and HTML differences). Will we get a change log for IE8 soon, or if it has already been published, where can I find it?

  • Anonymous
    December 23, 2008
    @Mikey - a change log? from Microsoft? for IE? ROFLOL! Oh man wouldn't that be amazing! Like a complete list of all the changes so we know which things are now broken, which ones are fixed, and which ones were untouched. If you've followed this blog (and the comments on it (and in the IE chats)) since July 21, 2004 http://blogs.msdn.com/ie/archive/2004/07/21/190687.aspx Lets see, that would be (carry the one) 4 and a 1/2 years ago... you'd know that there is a 0.0000000367% chance of a change log being announced. More importantly there likely won't be one because it exposes everything that was actually broken. Most of the PR work for IE8 talks about "moving towards better interoperability" type stuff, not: we fixed over 2 dozen DOM method calls to actually do what they are supposed to according to the specs. Don't get me wrong I think IE8 is full of progress for moving towards standards compliance however I have major doubts that there will ever be a change log. Moreso I fully expect that when IE8 RTM launches, it will launch as: "IE8 the most standards compliant browser" since they will likely be closest to a full CSS2.1 spec in terms of coverage... but this won't cover the "yeah but" stuff, where CSS is great and all but we'd like to be able to set w3c event listeners, set .innerHTML without errors etc. As for right now, we still have to force IE7 rendering for our sites because they fall apart in IE8 in "standards" mode.

  • Anonymous
    December 23, 2008
    http://www.me.com/ doesn't work in IE8 Beta 2 or Pre-RC1 18344.

  • Anonymous
    December 23, 2008
    Could someone please confirm if the middle click scroll bug I mentioned happens in build 18344, don't want to reboot 3 times in case its not working, thanks.

  • Anonymous
    December 23, 2008
    I've noticed some webpages don't work in IE7 since the latest update. I think there's a problem with certain javascript code. Seems to run fine in Chrome. Can you view www.ted.com for example? I get a "dojo is undefined" error. Have tried turning security settings down, etc.

  • Anonymous
    December 23, 2008
    paul i have same problem here www.ted.com give an error

  • Anonymous
    December 23, 2008
    @Paul/Gabe: Looking at the network traffic from Ted.com using Fiddler2, the URL: http://www.ted.com/js/dojo/dojo-3572873149.js is currently returning HTTP/404. This happens regardless of browser (and also occurs for the /css/safari.css file).

  • Anonymous
    December 24, 2008
    Peter, rather than posting a senseless rant like this, why not explain exactly what happens?  Did you try the "Reset IE to defaults" button on the Tools / Options / Advanced screen?

  • Anonymous
    December 25, 2008
    Of course the security update is rated critical, it's a Microsoft product.  That's not to say all MS products are bad, they're just incredibly sloppy.  The manager of this IE8 project needs to be sacked as they have already cost themselves in marketing and respect from the community.  A humiliating beta release and nothing on any professional level since. It's not tricky, guys.  Just BUILD A GOOD PRODUCT and people will take it.  But you can't, can you?  It's eternally sad, so many resources but not a drop to write good code with. I'm sure there are fantastic programmers working on this project, but the person making the calls needs to be shown to the door because they are consistently destroying any credibility that IE8 had, before we've even seen an official release. ALL WE WANT IS A BROWSER THAT LETS US LOOK AT WEB SITES AND MOSTLY PLAYS WELL WITH OTHERS. PLEASE.

  • Anonymous
    December 25, 2008
    totally agree with Andrew. manager must dismiss

  • Anonymous
    December 26, 2008
    The comment has been removed

  • Anonymous
    December 26, 2008
    @Mikey > submitting a form with 1 input for text and 1 input for a submit button (...) will only post the 1 input value and not the submit value. Mikey, I reported and filed a bug at connect IE beta feedback for you baesd on your excellent description. It must be said that such bug had been filed before (see bug 362726) and was closed (not reproducible) on august 27th 2008 and the original bug reporter did not reactivate the bug. connect.microsoft.com/IE/feedback/ViewFeedback.aspx?FeedbackID=389736 If you can visit bug 389736 webpage and vote for that bug, it would help... Bug entry: www.gtalbot.org/BrowserBugsSection/MSIE8Bugs/#bug204 www.gtalbot.org/BrowserBugsSection/MSIE7Bugs/#bug173 Season's greetings, Gérard

  • Anonymous
    December 27, 2008
    .. . MERRYCHRISTMAS!* AND .. . HAPPYNewYear 2009

  • Anonymous
    December 28, 2008
    IE8 Partner Release 1 has a bug when zooming text content it chops things off.. See the 404 that was listed above.. http://www.ted.com/js/dojo/dojo-3572873149.js when the 404 page comes up, zoom in 2, 3 or 4 times with [ctrl] + [+]. The top/bottom of many lines of text gets chopped. (this happens on lots of sites, but this sample is the easiest to find/see.

  • Anonymous
    December 28, 2008
    It's the first time, where i visit this Blog. I come from Germany and wish all the best for          2 0 0 9 !

  • Anonymous
    December 28, 2008
    What about SVG support ? I read that IE8 will not support it ? But SVG is a standard and all the other browsers already support it !

  • Anonymous
    December 29, 2008
    GabrielH, if you look at the charts, no popular browser fully supports SVG.  Various addons are available for each browser to add SVG support. The SVG standards are EXTREMELY complicated and add a lot of redundant functionality.  They're a good example of a poor standard.

  • Anonymous
    December 30, 2008
    Since this out of band update IE7 has been taking up way more memory then usual on both XP(work machine) and Vista(home machine)  I realize I probably keep my windows open way longer then normal (either until they crash or time for the new months round of updates, so nothing has changed Eric ;) )

  • Anonymous
    December 30, 2008
    I hope to hear this story with the 2 fake papers in IEEE Conferences. One fake paper was accepted in an IEEE Conference in February 2008 and another 20 days ago. More details: http://iaria-highsci.blogspot.com/ http://tinyurl.com/7dbpeq http://tinyurl.com/95r5sm http://sites.google.com/site/ieeeconferences/