Yesterday’s security updates for February 2005 include two critical updates relating to Internet Explorer:
These are both rated “critical” and affect all supported IE configurations from IE5.01 to IE6 for XPSP2.
In addition, there is a third update to mention - MS05-008 - which contains a fix for a drag-and-drop vulnerability in the Windows shell code. You need both MS05-014 and MS05-008 to resolve the “drag-and-drop vulnerability” (CAN-2005-0053). These updates do not have to be installed in any particular order.
Windows Server 2003 Service Pack 1, Windows Server 2003 x64 edition, and Windows XP Professional x64 edition, all of which hit RC2 yesterday, already include these fixes.
I’m happy to say that MS05-014 includes both hotfixes and security updates but only installs hotfixes on systems that require them. The original goal of creating separate packages was to isolate as many customers as possible from unnecessary code change. By implementing this solution we’ve maintained that added protection for our customers while easing corporate deployment, an area where we are committed to continual improvement. This capability is similar to what we have always used for IE cumulative security updates for Windows XP SP2 and Server 2003. However, because IE 6 SP1 installs across multiple Windows versions we could not use the same technology. For details on how IE 6 SP1 packages will know whether or not to install hotfixes, please see the ‘Notes’ section of KB867282.
I encourage everybody to download these updates as well as yesterday’s other non-IE updates via Windows Update. I also encourage you to turn on Automatic Updates so you get these updates without having to manually visit Windows Update.