Update coming for IE 6.0 SP1 security vulnerability

Today's canceled re-release of MS06-042, and posting of a Security Advisory

Welcome to the Microsoft Security Response Center Blog! — Wed, 23 Aug 2006 01:09:48 GMT

Hi everyone, Stephen Toulouse here.&nbsp; We wanted to provide you with information about the MS06-042...

re: Update coming for IE 6.0 SP1 security vulnerability

TJ — Wed, 23 Aug 2006 02:01:01 GMT

Although I'm not pleased with the issue and I’m sure many will slam you for it, I commend Microsoft for being upfront about it and keeping us informed (via this blog, MSRC blog, and TechNet). Many other software companies (who I shall not mention) could learn a lot by following suit. Over the years, Microsoft has become the leader in this area and thus the model.

P.S. – mentioning the impact on beta software is greatly appreciated.

re: Update coming for IE 6.0 SP1 security vulnerability

cooperpx — Wed, 23 Aug 2006 02:34:56 GMT

A mistake was made, a mistake will be cleaned up. Good. Accidents happen.

However, lets drop off the righteousness tone for a second please? Microsoft is upset that somebody squealed on it. The word ETIQUETTE applies, not RESPONSIBILITY.

I'd say that ETIQUETTE regarding security bugs is being redefined by people not of Microsoft.

Might I suggest that IE gets its own out-of-band patching system, not restricted by any specific timing schedule, for home users and businesses with a local policy setting?

re: Update coming for IE 6.0 SP1 security vulnerability

cooperpx — Wed, 23 Aug 2006 02:46:02 GMT

"For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue."

- ouch Tony. I'm sure he/she feels bad enough! He/she likely had peer reviewers and they missed it too. Some stuff just slips by, even by really smart people with years of bug finding experience. I'd say your team was due for this kind of flaw and it happens ~ _even_ in open source! [sorry for the double post]

re: Update coming for IE 6.0 SP1 security vulnerability

Baillard — Wed, 23 Aug 2006 04:13:35 GMT

I posted a question to the MSRC Blog about the options that the Online Crash Analysis provides when IE fails due to the problems with MS06-042. Can you please provide links to MS06-042 from the OCA event page and other info such as assisting users in disabling HTTP 1.1? The current info OCA suggests upgrading to XP SP2 (I do realize that SP1 support ends <60 days) is not the entire story.

re: Update coming for IE 6.0 SP1 security vulnerability

redxii — Wed, 23 Aug 2006 06:54:13 GMT

For what reason would it affect SP1 but not SP2? Just curious.

re: Update coming for IE 6.0 SP1 security vulnerability

Tony Chor [MSFT] — Wed, 23 Aug 2006 07:15:10 GMT

redxii: We changed some buffer sizes in SP2; the code was first fixed in SP2 and then ported down to SP1 without taking this change into consideration.

baillard: Good idea re: updating our OCA response. I'll see what we can do here.

cooperpx: I certainly didn't mean to imply that this developer was solely to blame. We just wanted to make sure there was nothing systemic about his changes that might pose a problem. we definitely tried to explore every avenue.

cooperpx: We used to update IE on its own schedule, but many customers asked us to update IE at the same time as other updates so they could schedule and batch their testing and deployments.

Death toll rises due to FireFox

Brad — Wed, 23 Aug 2006 07:21:55 GMT

Did you guys see this?
Death toll rises due to FireFox

http://qainsight.net/2006/08/23/Death+Toll+Rises+Due+To+FireFox.aspx

W2k SP4?

Tihiy — Wed, 23 Aug 2006 07:52:58 GMT

Sorry for buggin you but i'm unable to find exact information on bizzare lifecycle pages.

IE6SP1 on XPSP1 support will be dropped in October, but what about IE6SP1 on W2KSP4? I guess it should be supported until W2K EOL, but when it ends?

Roman’s Blog » Blog Archive » MS06-042 - more time needed…

Roman’s Blog » Blog Archive » MS06-042 - more time needed… — Wed, 23 Aug 2006 08:04:43 GMT

PingBack from http://blog.kluka.net/archives/19

re: Update coming for IE 6.0 SP1 security vulnerability

Espen Antonsen, 24SevenOffice — Wed, 23 Aug 2006 10:34:06 GMT

Will this update fix the createPopup issue as well? A lot of our customers are reporting to us that IE is crashing when they use our web-application 24SevenOffice. This occurs due to a bug caused by using the createPopup function after the latest update is applied. This issue is not related to the IE6SP1/HTTP1.1 problem as the reports I have got customers used IE6SP2.

Can you please make a statement to whether this issue will be fixed in the upcoming update?

For more info and example see the following pages at comcept.net:

http://www.comcept.net/notify/kb918899/kb918899%20Statement.htm

http://www.comcept.net/crash.htm

Thank you,
Espen Antonsen
24SevenOffice

Hotfix 923996 for popup issue

AH — Wed, 23 Aug 2006 10:53:21 GMT

There now is a hotfix available from Microsoft for the popup issue. It is so far only available through Microsoft support; you must call and ask for hotfix 923996 for Windows XP or for Windows 2003. Such calls into Microsoft are free.
As there are so many users suffering from this issue after deploying MS06-42, I would hope Microsoft includes the hotfix that fixes the popup issue into the re-release of MS06-42 as well.

re: Update coming for IE 6.0 SP1 security vulnerability

Espen Antonsen, 24SevenOffice — Wed, 23 Aug 2006 11:19:43 GMT

AH, thank you very much for that information. Unfortuanly the fix is only available in English and Japanese. We have a lot of customers in Norway who are complaining about this issue and it seems like they have to wait for the next update.

Cheers,
Espen Antonsen
24SevenOffice

re: Update coming for IE 6.0 SP1 security vulnerability

Can i post this blog? — Wed, 23 Aug 2006 15:54:55 GMT

test

re: Update coming for IE 6.0 SP1 security vulnerability

ali — Wed, 23 Aug 2006 17:25:05 GMT

se contacter

re: Update coming for IE 6.0 SP1 security vulnerability

Steve Young — Wed, 23 Aug 2006 18:45:13 GMT

First time to be here ^_^

re: Update coming for IE 6.0 SP1 security vulnerability

Vince — Wed, 23 Aug 2006 18:52:21 GMT

I was under the impression that IE7 had removed the createPopup call from standard web page designs? (e.g. not an embedded app, using the IE engine)

Can an MS team member clarify if this happened or not?

From a web user perspective, these popups are the most anoying ever, since they are chromeless, z-ordered on top of everything, and are full screen, not just in the IE viewport.

If not, can the developers clarify if these are 100% blockable by type, in IE7?

E.g. I may want a popup window to choose a date in my online airfare search, but I will never want a ".createPopop()" call to be enabled.

Thanks Vince.

re: Update coming for IE 6.0 SP1 security vulnerability

Christopher Vaughan [MSFT] — Wed, 23 Aug 2006 18:57:29 GMT

Tihiy - I blogged about this at http://blogs.msdn.com/ie/archive/2005/03/29/403513.aspx. Essentially, IE6SP1 on Win2k SP4 will be supported until Win2k expires.

Espen - You can have your TAM contact Microsoft to request a localized version of the hotfix. The re-release of this update is for IE6SP1 only and the issue you're seeing is for XPSP2, so therefore the re-release will not fix that issue as it's on a different platform.

re: Update coming for IE 6.0 SP1 security vulnerability

DMassy — Wed, 23 Aug 2006 19:55:04 GMT

Vince,
createPopup has not been disable in IE7. It is actually useful functionality for example to produce rich tooltips in web solutions.
There were restrictions put on this functionality in Windows XP SP2 to ensure that they cannot display outside of the HTML display area of the browser and confuse people. Maybe that is what you are thinking of.
Thanks
-Dave

re: Update coming for IE 6.0 SP1 security vulnerability

Tom — Thu, 24 Aug 2006 03:26:47 GMT

@dave

I don't see how a < div > can't do anything that createPopup() can.

Oh well, guess I'll go look into writing an extension for IE7 to block these.

@Vince
Can I send you a link to it when I'm done? :-)

re: Update coming for IE 6.0 SP1 security vulnerability

William Lefkovics — Thu, 24 Aug 2006 09:16:38 GMT

Tony, by "irresponsibly disclosed" are you referring to the reference to "Long URLs" outlined in KB 923762? (http://www.microsoft.com/technet/security/advisory/923762.mspx)

re: Update coming for IE 6.0 SP1 security vulnerability

lamon — Thu, 24 Aug 2006 10:13:52 GMT

Hello,everyone,I'm a security engineer from one of your enterprise customers.After deploying MS06-042,when our users access to PeopleSoft(HR System),IE would breakdown.It occur that the OS is win2000 and XP without SP2.
We are in china ,most of our OS language is chinese.Microsoft(China) MSTC engineers told us that they are not sure when you could release the patch's patch to fix up our trouble.They sent us a tool to have a try,but just the english version,could you speed up the development of the chinese version ?Thanks.

Use Firefox .... and all its fine ...

ZOC — Thu, 24 Aug 2006 13:00:39 GMT

Dont use the false browser ...

re: Update coming for IE 6.0 SP1 security vulnerability

Espen Antonsen — Thu, 24 Aug 2006 13:59:00 GMT

@Christopher Vaughan [MSFT]
I have called Microsoft support here in Norway and hopefully they will provide me with a localized version of the hotfix. I think this bug is very critical - will the hotfix really not be released through windows update?

@Tom
createPopup will be displayed over iframes, frames and outside the window. It is very useful when creating a contextMenu.

Espen Antonsen
24SevenOffice

re: Update coming for IE 6.0 SP1 security vulnerability

Van Der Beek Philip — Thu, 24 Aug 2006 16:12:49 GMT

I want to have IE 6.0 SP1 for update thankyou if you am having Xp Home weather can or not please tell me or send me a CD to me thankyou

re: Update coming for IE 6.0 SP1 security vulnerability

Tom — Thu, 24 Aug 2006 17:59:52 GMT

@Espen

In Dave Massey's comment (above mine, to Vince)

It sounds like IE7 has cleaned the createPopup() call a bit, to ensure it _CANT_ display beyond the viewport boundary.

It again, should be noted, that in all browsers, you can float a div over any content on the page to crate a contextmenu or similar. The only catches are:
1.) in IE 6 or below, you need to float an iframe under the div because the select element was incorrectly coded to be at the window level. (fixed in IE7 thankfully!!!)
2.) in a frameset (not iframes), you can't float anything over frames, because there is no (top level) document body to attach the div to.

Tom

re: Update coming for IE 6.0 SP1 security vulnerability

Christopher Vaughan [MSFT] — Thu, 24 Aug 2006 18:38:13 GMT

Espen: hotfixes are never released through Windows Update. If you get a hotfix via our support centers, you'll be pointed to a separate download. However, in a subsequent security update, your hotfix should be automatically included so you won't have to re-apply the hotfix again.

lamon: when we release security updates, all languages are released at the same time. The Chinese version of the re-release of MS06-042 should already be available via Windows Update.

re: Update coming for IE 6.0 SP1 security vulnerability

Ottmar Freudenberger — Thu, 24 Aug 2006 19:57:32 GMT

I wonder why there's no new blog entry to be found (yet) here about the release of KB918899v2 for IE6 SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c335caa9-b9e6-403d-a039-2d3dca723653

Bye,
Freudi

Update Available for IE 6.0 SP1 Security Vulnerability

IEBlog — Thu, 24 Aug 2006 20:00:14 GMT

This morning we re-released our August security update (MS06-042) for IE 6.0 SP1. This update is available...

re: Update coming for IE 6.0 SP1 security vulnerability

MikeG — Thu, 24 Aug 2006 21:55:37 GMT

When a patch is released how soon after will the wsusscan.cab file be updated for SMS ITMU custumers?

Thanks
Mike

re: Update coming for IE 6.0 SP1 security vulnerability

Zach — Thu, 24 Aug 2006 21:56:40 GMT

--> It sounds like IE7 has cleaned the createPopup() call a bit, to ensure it _CANT_ display beyond the viewport boundary.

Is this in all environments, or in a trusted environment can you still extend beyond the boundry.

Ask because I have GUI dependent on that - and by trusted - I mean trusted to the point that its being served in my own wrapped Webbrowser control

Symphonious » Don’t Blame The Committer

Symphonious » Don’t Blame The Committer — Fri, 25 Aug 2006 14:11:22 GMT

PingBack from http://www.symphonious.net/2006/08/25/dont-blame-the-committer/

Update waiting for IE 6.0 SP2 security vulnerability

ST — Fri, 25 Aug 2006 23:09:04 GMT

923996 When you visit a Web page that uses a custom pop-up object,
Internet Explorer 6 closes unexpectedly
http://support.microsoft.com/kb/923996/

IE6SP2(XPSP2 or 2003SP1) + 918899(MS06-042)
createPopup()

"eEye y Microsoft... en pie de guerra" - Foro de Spyware

"eEye y Microsoft... en pie de guerra" - Foro de Spyware — Sun, 27 Aug 2006 02:03:54 GMT

PingBack from http://www.forospyware.com/t49191.html#post203361

re: Update coming for IE 6.0 SP1 security vulnerability

EricLaw [MSFT] — Tue, 29 Aug 2006 06:09:49 GMT

@Zach: The CreatePopup call is restricted for content in the Internet zone. I suspect the limitation only applies to the Internet Explorer process unless you opt your process into the feature.

re: Update coming for IE 6.0 SP1 security vulnerability

security program — Tue, 29 Aug 2006 09:14:45 GMT

see all kinds of security program!

http://www.shareware123.com/utility/security_encryption/index_69.htm

Boletín 00066 - 29/08/2006

Weblog de Mauricio (W.O.L.F.) R. Arreola González — Tue, 29 Aug 2006 18:58:14 GMT

1.- El parche que llego el martes pasado es tambien para Windows Vista2.- Corrupcion de memoria en Firefox...

re: Update coming for IE 6.0 SP1 security vulnerability

Zach — Fri, 01 Sep 2006 23:51:27 GMT

@EricLaw - Thanks :)

For a second there thought I would have to redo my menus and other parts of the toolbars.

Update Available for IE 5.01, IE 6.0 SP1, and IE 6.0 on Server 2003

IEBlog — Tue, 12 Sep 2006 20:01:29 GMT

This morning we re-released three versions of our August 2006 cumulative security update (MS06-042)....

newsBreaks.net » Update: Microsoft’s August IE patch contains security bug

newsBreaks.net » Update: Microsoft’s August IE patch contains security bug — Sun, 17 Sep 2006 05:21:39 GMT

PingBack from http://newsbreaks.net/archives/5323

internet explorer 6 0

internet explorer 6 0 — Sat, 03 May 2008 12:44:00 GMT

PingBack from http://raul.infomediaguide.com/internetexplorer60.html

IEBlog Update coming for IE 6 0 SP1 security vulnerability | Paid Surveys

IEBlog Update coming for IE 6 0 SP1 security vulnerability | Paid Surveys — Sat, 30 May 2009 01:55:22 GMT

PingBack from http://paidsurveyshub.info/story.php?title=ieblog-update-coming-for-ie-6-0-sp1-security-vulnerability

Update coming for IE 6.0 SP1 security vulnerability

Today's canceled re-release of MS06-042, and posting of a Security Advisory

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

Death toll rises due to FireFox

W2k SP4?

Roman’s Blog » Blog Archive » MS06-042 - more time needed…

re: Update coming for IE 6.0 SP1 security vulnerability

Hotfix 923996 for popup issue

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

Use Firefox .... and all its fine ...

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

Update Available for IE 6.0 SP1 Security Vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

Symphonious » Don’t Blame The Committer

Update waiting for IE 6.0 SP2 security vulnerability

"eEye y Microsoft... en pie de guerra" - Foro de Spyware

re: Update coming for IE 6.0 SP1 security vulnerability

re: Update coming for IE 6.0 SP1 security vulnerability

Bolet&#237;n 00066 - 29/08/2006

re: Update coming for IE 6.0 SP1 security vulnerability

Update Available for IE 5.01, IE 6.0 SP1, and IE 6.0 on Server 2003

newsBreaks.net » Update: Microsoft’s August IE patch contains security bug

internet explorer 6 0

IEBlog Update coming for IE 6 0 SP1 security vulnerability | Paid Surveys

Boletín 00066 - 29/08/2006