News

Internet Explorer Flaw Still Under Investigation

UPDATE -- The July patches are posted as of 1:40 p.m. Eastern time July 12. The fix for this flaw IS included. Click here for the story.

Microsoft continues to investigate a vulnerable component in Internet Explorer for which it posted a kill bit last week, but it is unlikely the software giant will include the fix as part of its monthly patching event on Tuesday.

In the worst case, the flaw can allow an attacker to take complete control of a victim's computer over the Internet. While no reports of attacks using the vulnerability have been reported to Microsoft, details of the flaw are public, creating a dangerous situation.

The flaw involves a COM object called the JVIEW Profiler (Javaprxy.dll), an optional component in the browser that provides an interface to a debugger in the Microsoft Java Virtual Machine. The JVIEW Profiler is not included by default in several versions of Internet Explorer, but it can be installed by applications with the Microsoft Java Virtual Machine or during an operating system upgrade.

After acknowledging the vulnerability in a security advisory on June 30, Microsoft completed an initial investigation and recommended disabling Javaprxy.dll. Last week Microsoft posted several downloads of kill bits to disable the component. The executable kill bit gives users a way to make the necessary change without trying to edit the Registry, where minor mistakes can have disastrous consequences for a system.

In the version of its security advisory with links to the downloads, Microsoft promised a complete fix for the issue will be released in an upcoming security bulletin. The advisory underscored the severity of the issue by raising the possibility that the bulletin could be released between monthly patch release dates.

The next monthly patch release date is Tuesday. Microsoft notified customers late last week that three bulletins were coming -- two for Windows and one for Office. While Microsoft could turn around and issue a bulletin for Internet Explorer on Tuesday, as well, the fact that Internet Explorer wasn't mentioned in the advance notification makes that unlikely. Microsoft's next monthly patching date falls on Aug. 9.

The Microsoft security advisory about the JVIEW Profiler is available at www.microsoft.com/technet/security/advisory/903144.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.

Most   Popular