Hi everyone!

Robert Bugner, one of our Senior Escalation Engineers put this information together regarding the latest IE Cumulative release so I thought I would pass it along to you:

 

Heads up the second IE Cumulative update for the year has released, this is the first one for IE6 since the Nov/Dec08 time frame.

 

MS09-014 - Cumulative Security Update for Internet Explorer (963027)

http://support.microsoft.com/kb/963027

 

Microsoft Security Bulletin MS09-014 - Critical

Cumulative Security Update for Internet Explorer (963027)

Published: April 14, 2009

http://www.microsoft.com/technet/security/bulletin/MS09-014.mspx

 

 

Operating System

Component

Maximum Security Impact

Aggregate Severity Rating

Bulletins Replaced by This Update

Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1

 

 

 

 

Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 5.01 Service Pack 4

Remote Code Execution

Critical

MS08-073
MS08-078

Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 6 Service Pack 1

Remote Code Execution

Critical

MS08-073
MS08-078

Internet Explorer 6

 

 

 

 

Windows XP Service Pack 2 and Windows XP Service Pack 3

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS08-073
MS08-078

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Critical

MS08-073
MS08-078

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Important

MS08-073
MS08-078

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Microsoft Internet Explorer 6

Remote Code Execution

Important

MS08-073
MS08-078

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Microsoft Internet Explorer 6

Remote Code Execution

Important

MS08-073
MS08-078

Internet Explorer 7

 

 

 

 

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-002

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-002

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Important

MS09-002

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 7

Remote Code Execution

Important

MS09-002

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Windows Internet Explorer 7

Remote Code Execution

Important

MS09-002

Windows Vista and Windows Vista Service Pack 1

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-002

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Internet Explorer 7

Remote Code Execution

Critical

MS09-002

Windows Server 2008 for 32-bit Systems*

Windows Internet Explorer 7

Remote Code Execution

Important

MS09-002

Windows Server 2008 for x64-based Systems*

Windows Internet Explorer 7

Remote Code Execution

Important

MS09-002

Windows Server 2008 for Itanium-based Systems

Windows Internet Explorer 7

Remote Code Execution

Important

MS09-002

 

 

*Windows Server 2008 server core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Non-Affected Software

Operating System

Component

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Internet Explorer 8

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 8

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Internet Explorer 8

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 8

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Windows Internet Explorer 8

Windows Vista and Windows Vista Service Pack 1

Windows Internet Explorer 8

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Internet Explorer 8

Windows Server 2008 for 32-bit Systems

Windows Internet Explorer 8

Windows Server 2008 for x64-based Systems

Windows Internet Explorer 8

Windows Server 2008 for Itanium-based Systems

Windows Internet Explorer 8

 

 

Where are the file information details? 
The file information details can be found in the
Microsoft Knowledge Base Article 963027.

 

How is this security update related to MS09-013? 
The WinINet Credential Reflection Vulnerability,
CVE-2009-0550, described in this security bulletin also affects Windows HTTP services. Microsoft recommends that users also install the security update provided by MS09-013, Vulnerabilities in Windows HTTP Services Could Allow Remote Code Execution (960803).

 

Does this update contain any security-related changes to functionality? 
Yes. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes the following defense-in-depth changes:

A change corresponding to the fix in MS09-010 (Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (960477))

A change reinforcing the about: protocol in order to restrict spoofing

A change corresponding to the fix in MS09-015 (Blended Threat Vulnerability in SearchPath Could Allow Escalation of Privilege (959426)) is also included. This provides a mitigation of the combined threat issue involving Apple Safari, Microsoft Windows, and Microsoft Internet Explorer that is known publicly and has been assigned Common Vulnerability and Exposure number CVE-2008-2540. See also the FAQ below about blended threat.

Does this update address the known issue for MS09-002 that is documented in Microsoft Knowledge Base Article 967941? 
Yes, this update addresses the known issue for
MS09-002 that is documented in Microsoft Knowledge Base Article 967941, "Navigation is canceled when you browse to Web pages that are in different Internet Explorer security zones."

 

If I had already performed the registry workaround for the issue documented in Microsoft Knowledge Base Article 967941, what else do I need to do? 
If you had followed the instructions in
Microsoft Knowledge Base Article 967941 to either manually edit or run the wizard to edit the registry to enable the feature control key that disables the functionality introduced in MS09-002, then you must now reverse this feature control key. For instructions, please see Microsoft Knowledge Base Article 967941.

 

If I only apply this update, will I be completely protected from the blended threat issue described in CVE-2008-2540? 
No, you must separately enable the defense-in-depth protection provided by this Cumulative Security Update for Internet Explorer, in addition to applying
MS09-015 (Blended Threat Vulnerability in SearchPath Could Allow Escalation of Privilege (959426)). However, you must verify that enabling this defense-in-depth protection against the blended threat issue is appropriate for your environment.

To enable the defense-in-depth protection, perform the following steps:

1.

Save the following to a file with a .REG extension, such as Enable_SearchPath.reg, to add the feature control key:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLESEARCHPATH_KB963027]
"iexplore.exe"=dword:00000000

2.

Then run Enable_SearchPath.reg with the following command from an elevated command prompt:

Regedit.exe /s Enable_SearchPath.reg

For more information about the blended threat issue, see MS09-015 (Blended Threat Vulnerability in SearchPath Could Allow Escalation of Privilege (959426)) and Common Vulnerability and Exposure number CVE-2008-2540.

Is it possible to enable the Internet Explorer defense-in-depth protection for the blended threat vulnerability on Microsoft Windows 2000?
No. Due to architectural differences, the defense-in-depth protection introduced in
MS09-015 (Blended Threat Vulnerability in SearchPath Could Allow Escalation of Privilege (959426)) is not applicable to the Microsoft Windows 2000 platform. Enabling the defense-in-depth protection for Internet Explorer on Microsoft Windows 2000 will have no affect. However, Microsoft is unaware of any valid attack vectors that would target this vulnerability on Microsoft Windows 2000 systems.

 

I am using an older release of the software discussed in this security bulletin. What should I do? 
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit
Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software releases, visit the Microsoft Product Support Services Web site.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.

 

Cheers!

The IE Support Team