News

Microsoft to Fix IE Ahead of Next Patch Tuesday

Microsoft vowed to release an out-of-cycle patch next week for Internet Explorer, its embattled browser that was shown to be so vulnerable by the recent Download.Ject problem that many security experts recommend that users stop using the product.

The company normally releases security patches the second Tuesday of each month, and the next scheduled date is Aug. 10. However, Microsoft does release patches and workaround earlier when a problem is extremely serious.

Download.Ject was a two-pronged attack that first exploits an IIS 5.0 Web server, which is then used to exploit a flaw in Internet Explorer. The IIS flaw has been patched for a long time, and only negligent IT operations could be affected. But to date there is no patch for Internet Explorer. The most fully patched Microsoft browser can be hit by the attack.

One of Microsoft's first actions was to shut down the specific server in Russia that compromised client systems pointed to with a downloaded trojan. Microsoft also released an IE workaround, also out-of-cycle, that was also not a patch.

The patch coming next week should close the vulnerability, Dean Hachamovitch, Microsoft's product unit manager for Internet Explorer, said during a monthly security Webcast for Microsoft customers on Wednesday. Customers "should have confidence, as long as they're running the latest browser [IE 6.0 SP1], with all the latest security updates, that they have the most secure and powerful browsing experience available," he said.

Hachamovitch blamed the long delay in coming up with a patch for the problem on the many versions of Internet Explorer and the many languages Microsoft supports. "There's going to be a patch for different versions of IE. IE 5.01, IE 5.5, and IE 6.0,” he said. “The release of a security update for those versions of IE is separate from the release of Windows XP [Service Pack 2] with enhanced security for IE."

"We look at all the subtle variations that they can go off and try. After we adjust an issue, we have to go through and make sure we have applications-type compatibility. Fixing a security issue and breaking things in the process isn't going to do a whole lot of good. We have to look across all the versions of Internet Explorer and Windows we support -- including IE 5.01 and 5.5, and 6.0, and across a variety of Windows platforms. When you throw in all the languages that we release the update in, we end up signing off on over 400 distinct security updates to give all our customers," Hachamovitch said.

He added that any quality problems discovered between now and next week could delay release of the patch.

About the Author

Joe McKendrick is an independent consultant and author specializing in surveys, technology research and white papers. He's a contributing writer for ENTmag.com.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.