News

Microsoft to Fix IE Ahead of Next Patch Tuesday

Microsoft vowed to release an out-of-cycle patch next week for Internet Explorer, its embattled browser that was shown to be so vulnerable by the recent Download.Ject problem that many security experts recommend that users stop using the product.

The company normally releases security patches the second Tuesday of each month, and the next scheduled date is Aug. 10. However, Microsoft does release patches and workaround earlier when a problem is extremely serious.

Download.Ject was a two-pronged attack that first exploits an IIS 5.0 Web server, which is then used to exploit a flaw in Internet Explorer. The IIS flaw has been patched for a long time, and only negligent IT operations could be affected. But to date there is no patch for Internet Explorer. The most fully patched Microsoft browser can be hit by the attack.

One of Microsoft's first actions was to shut down the specific server in Russia that compromised client systems pointed to with a downloaded trojan. Microsoft also released an IE workaround, also out-of-cycle, that was also not a patch.

The patch coming next week should close the vulnerability, Dean Hachamovitch, Microsoft's product unit manager for Internet Explorer, said during a monthly security Webcast for Microsoft customers on Wednesday. Customers "should have confidence, as long as they're running the latest browser [IE 6.0 SP1], with all the latest security updates, that they have the most secure and powerful browsing experience available," he said.

Hachamovitch blamed the long delay in coming up with a patch for the problem on the many versions of Internet Explorer and the many languages Microsoft supports. "There's going to be a patch for different versions of IE. IE 5.01, IE 5.5, and IE 6.0,” he said. “The release of a security update for those versions of IE is separate from the release of Windows XP [Service Pack 2] with enhanced security for IE."

"We look at all the subtle variations that they can go off and try. After we adjust an issue, we have to go through and make sure we have applications-type compatibility. Fixing a security issue and breaking things in the process isn't going to do a whole lot of good. We have to look across all the versions of Internet Explorer and Windows we support -- including IE 5.01 and 5.5, and 6.0, and across a variety of Windows platforms. When you throw in all the languages that we release the update in, we end up signing off on over 400 distinct security updates to give all our customers," Hachamovitch said.

He added that any quality problems discovered between now and next week could delay release of the patch.

About the Author

Joe McKendrick is an independent consultant and author specializing in surveys, technology research and white papers. He's a contributing writer for ENTmag.com.

Featured

  • Image of a futuristic maze

    The 2024 Microsoft Product Roadmap

    Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.

  • SharePoint Embedded Becomes Generally Available

    After a six-month preview, SharePoint Embedded, an API-based version of SharePoint that developers and ISVs can use to embed Microsoft 365 capabilities into their apps, is now generally available.

  • Copilot in Microsoft 365 Getting Agents, Extensions and Team (Not Teams) Support

    Microsoft is adding more functionality to its Copilot AI assistant aimed at improving business collaboration, processes and workflows for Microsoft 365 users.

  • Microsoft Giving Startups Templates To Build AI Apps

    A new perk for businesses enrolled in the Microsoft for Startups Founders Hub program aims to fast-track their ability to build AI-powered applications.