Critical security patch for IE released, Win 7 RC affected

Microsoft has released an out of band security patch (MS09-034) to fix remote exploits in Internet Explorer.

This security update is rated Critical for the following versions of Internet Explorer:

  • Internet Explorer 5.01, running on supported editions of Microsoft Windows 2000
  • Internet Explorer 6 SP1, running on supported editions of Microsoft Windows 2000 and Windows XP
  • Internet Explorer 7, running on supported edititions of Windows XP and Vista
  • Internet Explorer 8, running on supported editions of Windows XP and Vista
  • Internet Explorer 8, running on Windows 7 Release Candidate (build 7100)

This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory and table operations.

The security update impacts ATL components and controls (like ActiveX controls, for example). Microsoft is advising developers who have built controls using vulnerable versions of ATL, to take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers.

Information for both of these exploits is available at CVE-2009-1918 and CVE-2009-1919.

Internet Explorer 8 for Windows 7 RTM is unaffected by this bulletin as according to a Microsoft spokesperson the IE defense-in-depth mechanism is already built into Windows 7 RTM. Windows 7 Release Candidate (build 7100) is affected and a patch KB972260 will be distributed. Patches for 2000, XP and Vista will be distributed by Windows Update shortly.

Thanks to Neowin member nozen09 for the news tip

Report a problem with article
Previous Story

Intel halts 34nm SSD shipments due to firmware defects

Next Story

How to: Create custom wallpaper collections in Windows 7


View more comments

It seems RTM isn't though, that's what I was beting on being the case. I figure the fixed it first in Win7's RTM build then for older systems. Add the testing period and the timing falls after Win7 RTM'd.

GreyWolfSC said,
I had to reboot to install another patch 3 weeks ago...

Oh darn!!

Cry us a river, please!!

Definitely, kudos to MS!!

Ravemaster said,
Huh? IE5 still exists?

Yep it's still going. Don't see why when Windows 2000 users have a newer version of IE to use.

It's all that in-house developed webappgs that use specific IE stuff that keeps businesses from upgrading many times. But that's when it comes to IE6, as for IE5, I have no idea why that's still around since IE6 should work just the same when it comes to those types of things.

Ravemaster said,
Huh? IE5 still exists?

Legacy applications, in-house developed software and compatibility reasons are the main ones why companies don't always upgrade to the latest and greatest.

It's mostly for Windows 2000 Server boxes where since IE isn't actually used, admins rightly don't see a need to upgrade it to IE6SP1. But since the bits are still there they do want those bits to be secure. Server Core (as of Server 2008) is good since the bits aren't even there.

most vulnerabilities in today's software come from code written in the 90's.
The problem must be affecting also unsupported versions of ATL, probably even those release arround 1995.
That's not shocking. Even flaws in firefox come from parts of code written 10 years ago.
Worst, some flaws are fixed a year after the problem they come from has been posted on bugzilla: i.e. : , posted on june 2008, fixed 13 months later

concerning this ATL flaw, there is not risk under vista/7 because of ASLR/DEP and ie sandbox (protected mode).

I got another security update for Visual Studio 2008 SP1, its 365.2MB. thats huge enough to be Visual Studio Service Pack 2.

Commenting is disabled on this article.