News

Microsoft to Fix IE Ahead of Next Patch Tuesday

Microsoft vowed to release an out-of-cycle patch next week for Internet Explorer, its embattled browser that was shown to be so vulnerable by the recent Download.Ject problem that many security experts recommend that users stop using the product.

The company normally releases security patches the second Tuesday of each month, and the next scheduled date is Aug. 10. However, Microsoft does release patches and workaround earlier when a problem is extremely serious.

Download.Ject was a two-pronged attack that first exploits an IIS 5.0 Web server, which is then used to exploit a flaw in Internet Explorer. The IIS flaw has been patched for a long time, and only negligent IT operations could be affected. But to date there is no patch for Internet Explorer. The most fully patched Microsoft browser can be hit by the attack.

One of Microsoft's first actions was to shut down the specific server in Russia that compromised client systems pointed to with a downloaded trojan. Microsoft also released an IE workaround, also out-of-cycle, that was also not a patch.

The patch coming next week should close the vulnerability, Dean Hachamovitch, Microsoft's product unit manager for Internet Explorer, said during a monthly security Webcast for Microsoft customers on Wednesday. Customers "should have confidence, as long as they're running the latest browser [IE 6.0 SP1], with all the latest security updates, that they have the most secure and powerful browsing experience available," he said.

Hachamovitch blamed the long delay in coming up with a patch for the problem on the many versions of Internet Explorer and the many languages Microsoft supports. "There's going to be a patch for different versions of IE. IE 5.01, IE 5.5, and IE 6.0,” he said. “The release of a security update for those versions of IE is separate from the release of Windows XP [Service Pack 2] with enhanced security for IE."

"We look at all the subtle variations that they can go off and try. After we adjust an issue, we have to go through and make sure we have applications-type compatibility. Fixing a security issue and breaking things in the process isn't going to do a whole lot of good. We have to look across all the versions of Internet Explorer and Windows we support -- including IE 5.01 and 5.5, and 6.0, and across a variety of Windows platforms. When you throw in all the languages that we release the update in, we end up signing off on over 400 distinct security updates to give all our customers," Hachamovitch said.

He added that any quality problems discovered between now and next week could delay release of the patch.

About the Author

Joe McKendrick is an independent consultant and author specializing in surveys, technology research and white papers. He's a contributing writer for ENTmag.com.

Featured

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.

  • Report: Security Initiatives Can't Keep Pace with Cloud, AI Boom

    The increasingly fast adoption of hybrid, multicloud, and AI systems is easily outgrowing existing security measures, according to a recent global survey by the Cloud Security Alliance (CSA) and exposure management firm Tenable.