Critical remote IE exploit patch due Tuesday

Microsoft is planning to release two out-of-band security patches on July 28, 2009.

Officials warned in an advanced security bulletin that the Internet Explorer vulnerability is critical for Windows XP (IE 6/7/8) and Windows Vista (IE 7/8). It's not yet clear whether Windows 7 is affected. The issue is marked as critical and as a Remote Code Execution.

Microsoft also plans to plug a moderate hole in Visual Studio. Microsoft Visual Studio .NET 2003, 2005 and 2008 are all affected and it's thought the Visual Studio patch will solve an issue that can affect certain types of applications.

According to Mike Reavey, Group Manager for the Microsoft Security Response Center (MSRC), "the Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin."

Whilst Microsoft officials declined to comment on the specifics of the issues, both were privately and responsibly reported.

Both patches will be available at 10:00 AM Pacific Time next Tuesday, July 28, 2009. Windows Update will be the primary way for end users to receive the updates.

Report a problem with article
Previous Story

Leaked documents reveal possible Microsoft Store layout

Next Story

AVG update breaks iTunes

48 Comments

Commenting is disabled on this article.

Does anyone else love the "Related News" section at the top? I love seeing articles from like 5 years ago on there. "Microsoft Internet Explorer 7.0 program details begin to leak"

With Blackhat & Defcon conferences next week it's well expected that there will be revealed plenty of 0day exploits across all browsers, it happens every year.

Whilst Microsoft officials declined to comment on the specifics of the issues, both were privately and responsibly reported.

I wonder how critical is this IE exploit, Microsoft wont even say anything about it.

They'll give out more info the day the patches go live. Why give out more details for a exploit before you have the fix ready? That's just asking for trouble.

GP007 said,
They'll give out more info the day the patches go live. Why give out more details for a exploit before you have the fix ready? That's just asking for trouble.

No, becuase the people who would exploit this vulnerability already know, the only ones who don't know our us. This does not work, why do MS keep doing things this way. Why not tell us what services we need to switch off, or in fact to use a different browser until the fix is out.

cakesy said,
...or in fact to use a different browser until the fix is out.


Because telling your customers to use the competition until your broken product is fixed is the stupidest idea in the world.

cakesy said,
No, becuase the people who would exploit this vulnerability already know, the only ones who don't know our us. This does not work, why do MS keep doing things this way. Why not tell us what services we need to switch off, or in fact to use a different browser until the fix is out.



No where in the article does it say this exploit is being activly targeted at this point. MS has before given out workarounds in the KB articles for things before patches are ready if a threat is being activlly targeted. That doesn't sound like the case now.

So I don't know what you're going on about yet again. Seriously you need to cut down on posts full of missinformation and bias.

Chrono951 said,
Because telling your customers to use the competition until your broken product is fixed is the stupidest idea in the world.


I think what he's trying to say is why postpone a fix that is already done just because it isn't a tuesday yet? Linux doesn't care if it's Tuesday or which Tuesday it is when a vulnerability is found.

Foxxx428 said,
I think what he's trying to say is why postpone a fix that is already done just because it isn't a tuesday yet? Linux doesn't care if it's Tuesday or which Tuesday it is when a vulnerability is found.


Except he, and others, are missing the point of what MS is doing. They give advance notice of patches a week ahead so business can be ready. It's the whole reason they went to a monthly schedule and give a heads up. This is what sys admins wanted and that's what happened.

MS used to release patches whenever in the past, but that only made things more of a pain for admins with all the rebooting and unscheduled downtime.

It only takes a bit of time to think about it to understand, clearlly some though just post away without doing so.

GP007 said,
...
It only takes a bit of time to think about it to understand, clearlly some though just post away without doing so.

And if you take your own "think clearly" advice, you can clearly see that admins could elect to collect the patches and install at their own monthly/weekly schedule or what-not.

Just because a patch is released on a certain timeframe (daily, for example) doesn't require you to update internally at the same rate.

markjensen said,

And if you take your own "think clearly" advice, you can clearly see that admins could elect to collect the patches and install at their own monthly/weekly schedule or what-not.

Just because a patch is released on a certain timeframe (daily, for example) doesn't require you to update internally at the same rate.


Sure it doesn't, but admins wanted a schedule to go by and thus MS changed it to being monthly. I have thought about it clearly already, maybe you didn't read the part in my post where as stated that this is what business requested?

Also, this isn't about the actually release of the patches, just the fact MS gives a heads up warning that patches are coming on a specific date so admins can be ready.


Chrono951 said,
Because telling your customers to use the competition until your broken product is fixed is the stupidest idea in the world.

Sure, it is not a great idea, but if the alternative is to have your customers systems compromised, I think it is the better solution.

And the the joker who couldn't find the part of the article talking about the exploit being actively targeted you are completely missing the point. If there is an exploit out there, ALWAYS ASSUME IT IS BEING EXPLOITED. To do anything else is idiotic and ignorant. Maybe you are happy waiting for it to be proven to you by someone else taking over your systems, but people who actually care about security do not act so stupidly, or they would be out of a job.

Always assume the worst, don't just stick your head in the sand. If it means using a competitors products to ensure your systems are safe, then do it.

Gee, I sure hope you don't work anywhere important.

cakesy said,
Sure, it is not a great idea, but if the alternative is to have your customers systems compromised, I think it is the better solution.

And the the joker who couldn't find the part of the article talking about the exploit being actively targeted you are completely missing the point. If there is an exploit out there, ALWAYS ASSUME IT IS BEING EXPLOITED. To do anything else is idiotic and ignorant. Maybe you are happy waiting for it to be proven to you by someone else taking over your systems, but people who actually care about security do not act so stupidly, or they would be out of a job.

Always assume the worst, don't just stick your head in the sand. If it means using a competitors products to ensure your systems are safe, then do it.

Gee, I sure hope you don't work anywhere important.



Oh that's cute.

Assuming the worst is fine, that's not the point at all. Missing it? You don't make one anyways. You say MS always does this, which is wrong. If needs be they do list work arounds if there are any. In this case you know it's an IE problem, so you play it safe when you visit websites or use another browser.

You want MS to actually tell you to use something else? If you're suppose to assume the worst always on your own shouldn't you then use your common sense to use something else on your own anyways?

Your original comment thus has no real point at all. If this was a problem with a service they'd say, and they have before, also tell you to switch it off, or offer to do any system changes automatically through their Fix It service. In this advance warning you know what is effected, IE, what more do you actually want? You assume that everyone knowing the exact details of the exploit would somehow make people safer? Are we all suppose to be expert coders able to fix this problem on our own?

IE is effected, that's what you need to know, it's not a service or a add-on, it's the app, you either surf with it safe and don't visit dodge sites, or use something else.

Windows 7 has already RTM'ed, so this means the new OS from Microsoft will have a critical security exploit when it's released?
Doesn't sound right...

Lechio said,
Windows 7 has already RTM'ed, so this means the new OS from Microsoft will have a critical security exploit when it's released?
Doesn't sound right...

What!!! Like every other version of Windows released.

Actually, I wonder if MS has started printing these DVDs yet, that might be a little embarrassing for them. At least they discovered it now, and not on launch day.

There will probably be many patches to come after the RTM and before GA. Thats why there is a magical service called Windows Update.

cakesy said,


What!!! Like every other version of Windows released.

Actually, I wonder if MS has started printing these DVDs yet, that might be a little embarrassing for them. At least they discovered it now, and not on launch day.



What!!! Live every other piece of software released.

Fix'd.

GP007 said,
What!!! Live every other piece of software released.

Fix'd.

Actually Windows isn't like every other piece of software. It's an OS, and it's used by millions. So this affects all of that user base. A critical exploit like this should not be in IE, as Windows relies on a browser for downloading and installing new software. This may well be a "show stopper exploit" and I believe it should get fixed and not go into production.
Correct me if I'm way out, that's the way I feel about it.

idoia said,
So glad we Europeans don't get any IE, it's like a blessing

You perfer no browser over a browser which you don't like?
Suit yourself.

lol idoia+1 im form USA but im happy for u Europeans that u don't have IE wish they did same in USA id be rly happy

Wow, you must be a really sucky developer hotdog, if you like seeing users get their personal information stolen or losing all their files.

max1c said,
lol idoia+1 im form USA but im happy for u Europeans that u don't have IE wish they did same in USA id be rly happy


I'd just be happy if people could learn how to spell.

Even though they have a browser project over at R&D that doesn't mean they'll be ditching IE anytime soon. At the least I see IE9 as maybe being the last "IE" they do before using something new but keeping the name.

Randomiser said,
They are ditching IE.

If they don't ditch ActiveX with it whatever the replacement is going to be is going to have the same security problems.

Why are you stuck on ActiveX? It's optional, just another add-on/plug-in for IE7 and 8. I've turned it off since very very few sites even use it. It's just like Java or Flash, turn it off and it's not a security risk anymore.

It's about time they start working on the next version of IE as well imo. Win7 is RTM'd now so IE8 for Win7 won't see any changes now outside of security patches. Time to move on with IE8.5 or 9.0, whatever they go with.

GP007 said,
It's about time they start working on the next version of IE as well imo. Win7 is RTM'd now so IE8 for Win7 won't see any changes now outside of security patches. Time to move on with IE8.5 or 9.0, whatever they go with.

actualy they should ditch ie and make something from scratch and have it not based on activex.

ActiveX is just a plug-in of sorts, you don't even have to use it and can turn it off fully. So I don't see how you can say it's based on activex.

ActiveX has nothing to do with it. The IE browser is an ActiveX control just like in OSX the web kit browser is a control, and this is a perfect example of how something is blamed for fault when it has nothing to do with the problem. ActiveX is just a different way of doing plug-ins into the browser.

There are plug in models for Safari, FF, Opera, etc. When a security flaw shows up in, for example, Flash on those browsers, Adobe is blamed for having a security flaw. When a security flaw appears in Flash on IE, ActiveX the finger is immediately pointed at that "Horrible security track record of the evil M$ and their poorly designed ActiveX model". There is no security difference between ActiveX and the plug-in models of other browsers. An ActiveX control and a browser plug-in is a code component that is loaded into the process of the running browser and allocated screen space and processor time to execute.

So if you want to say that IE is insecure because of ActiveX, FF, Opera, and Safari are insecure because of their support of plug-ins.