microsoft
Report a problem

Critical security patch for IE released, Win 7 RC affected

Tom Warren   on 28 July 2009 - 17:21 · 26 comments & 5556 views

Advertisement (Why?)
Microsoft has released an out of band security patch (MS09-034) to fix remote exploits in Internet Explorer.

This security update is rated Critical for the following versions of Internet Explorer:
  • Internet Explorer 5.01, running on supported editions of Microsoft Windows 2000
  • Internet Explorer 6 SP1, running on supported editions of Microsoft Windows 2000 and Windows XP
  • Internet Explorer 7, running on supported edititions of Windows XP and Vista
  • Internet Explorer 8, running on supported editions of Windows XP and Vista
  • Internet Explorer 8, running on Windows 7 Release Candidate (build 7100)

This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory and table operations.

The security update impacts ATL components and controls (like ActiveX controls, for example). Microsoft is advising developers who have built controls using vulnerable versions of ATL, to take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers.

Information for both of these exploits is available at CVE-2009-1918 and CVE-2009-1919.

Internet Explorer 8 for Windows 7 RTM is unaffected by this bulletin as according to a Microsoft spokesperson the IE defense-in-depth mechanism is already built into Windows 7 RTM. Windows 7 Release Candidate (build 7100) is affected and a patch KB972260 will be distributed. Patches for 2000, XP and Vista will be distributed by Windows Update shortly.

Thanks to Neowin member nozen09 for the news tip

Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Tom Warren
User name: Tom W
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

 

Post a comment · Send to friend Comments · There are 26 additional comments
(3 replies) #1 nozen09 on 28 Jul 2009 - 17:26
Windows 7 RC is affected just got the security Update installed
#1.1 +xiphi on 28 Jul 2009 - 17:27
Same.
#1.2 Tom W on 28 Jul 2009 - 17:36
Thanks for the tip.
#1.3 GP007 on 28 Jul 2009 - 18:23
It seems RTM isn't though, that's what I was beting on being the case. I figure the fixed it first in Win7's RTM build then for older systems. Add the testing period and the timing falls after Win7 RTM'd.

(3 replies) #2 GreyWolfSC on 28 Jul 2009 - 17:51
Requires a reboot... There goes my uptime.
#2.1 The Patri0t on 28 Jul 2009 - 17:54
How much was it?
#2.2 GreyWolfSC on 28 Jul 2009 - 19:21
I had to reboot to install another patch 3 weeks ago...
#2.3 cork1958 on 29 Jul 2009 - 10:50
GreyWolfSC said,
I had to reboot to install another patch 3 weeks ago...

Oh darn!!

Cry us a river, please!!

Definitely, kudos to MS!!
(4 replies) #3 Ravemaster on 28 Jul 2009 - 17:58
Huh? IE5 still exists?
#3.1 thealexweb on 28 Jul 2009 - 18:17
Ravemaster said,
Huh? IE5 still exists?


Yep it's still going. Don't see why when Windows 2000 users have a newer version of IE to use.
#3.2 GP007 on 28 Jul 2009 - 18:22
It's all that in-house developed webappgs that use specific IE stuff that keeps businesses from upgrading many times. But that's when it comes to IE6, as for IE5, I have no idea why that's still around since IE6 should work just the same when it comes to those types of things.

#3.3 +Odom on 28 Jul 2009 - 18:23
Ravemaster said,
Huh? IE5 still exists?


Legacy applications, in-house developed software and compatibility reasons are the main ones why companies don't always upgrade to the latest and greatest.
#3.4 PatriotB on 29 Jul 2009 - 00:05
It's mostly for Windows 2000 Server boxes where since IE isn't actually used, admins rightly don't see a need to upgrade it to IE6SP1. But since the bits are still there they do want those bits to be secure. Server Core (as of Server 200 is good since the bits aren't even there.
#4 Lepton on 28 Jul 2009 - 18:25
Kudos to MS for not making people wait a month to patch their PC's.
(1 reply) #5 Septimus on 28 Jul 2009 - 19:33
Glad they patched it, but christ, the exploit has existed since 1999/2000. That doesn't seem good.
#5.1 lnk654 on 28 Jul 2009 - 21:55
most vulnerabilities in today's software come from code written in the 90's.
The problem must be affecting also unsupported versions of ATL, probably even those release arround 1995.
That's not shocking. Even flaws in firefox come from parts of code written 10 years ago.
Worst, some flaws are fixed a year after the problem they come from has been posted on bugzilla: i.e. : https://bugzilla.mozilla.org/show_bug.cgi?id=441785 , posted on june 2008, fixed 13 months later

concerning this ATL flaw, there is not risk under vista/7 because of ASLR/DEP and ie sandbox (protected mode).
(1 reply) #6 skynetXrules on 28 Jul 2009 - 20:13
i just received update to plug security holes for Visual runtime 2008/2005 thro WU
#6.1 nozen09 on 28 Jul 2009 - 20:52
Microsoft offers IE, Visual Studio patches to protect against ActiveX attacks
http://news.cnet.com/8301-27080_3-10297328-245.html
#7 +warwagon on 28 Jul 2009 - 21:27
I expect a bunch more malware infected calls from morons who don't update their machines
(2 replies) #8 bluarash on 28 Jul 2009 - 22:34
Would it not be better to simply uninstall IE and disable all applications that use the Trident rendering engine?
#8.1 GreyWolfSC on 28 Jul 2009 - 23:45
Why? It's not any more vulnerable than any other browser, and one of those apps would be Explorer.
#8.2 bluarash on 29 Jul 2009 - 01:23
I was referring to the ability to delete IE executable from Windows 7 RC.
#9 prabir on 29 Jul 2009 - 06:20
I got another security update for Visual Studio 2008 SP1, its 365.2MB. thats huge enough to be Visual Studio Service Pack 2.
#10 +Chicane-UK on 29 Jul 2009 - 07:33
Sigh. A load more paperwork and a morning load of work just approve and push through this update to all of our systems :|
#11 mocax on 29 Jul 2009 - 11:46
why did it take them so long to discover these bugs? from ie5 era.....
#12 codyryanharrod on 29 Jul 2009 - 15:35
awww how cares just dont use IE 8 and dont go to bad websites or download bad things and ull be alright

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net