IE August Security Update is Now Available

The IE Cumulative Security Update for August 2007 is now available via Windows Update. Alternatively, you can receive this and all other Microsoft updates via the new Microsoft Update. I encourage you to upgrade to Microsoft Update if you haven’t already to ensure that you receive the latest updates for all Microsoft products.

This update addresses 3 remote code execution vulnerabilities. This bulletin also includes killbits for some vulnerable third-party ActiveX controls. These have been set at the request of the owners. For detailed information on the contents of this update, please see the following documentation:

• Microsoft Security Bulletin MS07-045
• Microsoft Knowledge Base article 937143

This updated is rated “Critical” for IE 5.01, IE6 Service Pack 1 on Windows 2000, IE6 and Windows XP; “Moderate” for IE6 on Windows Server 2003; “Important” for IE7 on Windows XPSP2 and IE7 in Windows Vista; “Low for IE7 on Windows Server 2003.

This update also addresses an unexpected “Save File” security dialog experienced by some users upon launching Internet Explorer after relocating the “Temporary Internet Files” folder to a custom location. We posted about this behavior here.

As a reminder, IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer.

I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft.

Terry McCoy
Program Manager
Internet Explorer Security

Comments

• Anonymous
  August 14, 2007
  Any comments about future versions of IE and javascript support? Theres some great stuff being added to javascript that IE doesn't support right now, and lots of DOM stuff that support for is missing. Can we expect significant improvements in javascript in IE8 since there were not any for IE7? luke

• Anonymous
  August 14, 2007
  The comment has been removed

• Anonymous
  August 14, 2007
  The latest version of IE Developer Toolbar does not run validation for HTML and CSS files on local computer or local web server, it allows only validation of pages on the Web. Will this bug be ever corrected?

• Anonymous
  August 15, 2007
  The comment has been removed

• Anonymous
  August 15, 2007
  my favorite part of Patch Tuesday(TM) updates is having to reset my email client as the default because MS Office was updated. I'm so glad software teams work together to solve these issues. I don't really want to argue over whose bug it is (Mozilla/Microsoft) I just want it fixed, so that when I get a bundled update to fix security issues in Office, that also include spam filter updates for Outhouse, that my mail client doesn't get affected. tx

• Anonymous
  August 15, 2007
  jack, The warning "Security issues have been identified that could allow an attacker to compromise a system running Internet Explorer and gain control over it". Sounds suspicious to me. Are you certain that is what it says and that it is coming from IE? It sounds more like a scam to me. The warning bar on local HTML content is explained here http://msdn2.microsoft.com/en-us/library/ms537628.aspx and can be avoided by adding the MOTW to that content. It was added in XP SP2 to prevent local content from accessing the local machine. -Dave

• Anonymous
  August 15, 2007
  How about a new VPC image for IE6 that expires in 2 days.  Maybe you can release it BEFORE it expires, or maybe make it last 6 months or longer so I don't have to waste time updating you images every 4 months.

• Anonymous
  August 15, 2007
  With the new update, I did not receive 2 very important Hotmail emails and can no longer access my favorite free-game site -- zylom.com.  I'm not a developer . . . I'm just an old lady end-user on social security!

• Anonymous
  August 15, 2007
  I installed the new update and a tornado hit my house! Microsoft must be responsible! Sorry Liz. I understand you might be frustrated but I don't believe the update to IE is responsible for your woes. It's really difficult to imagine how an IE update would be responsible for hotmail losing a couple of emails and www.zylom.com appears to be inaccessible to all browsers at the moment. It's easy to blame IE for everything that is wrong with the world I know but let's keep things in perspective :) -Dave

• Anonymous
  August 15, 2007
  The comment has been removed

• Anonymous
  August 15, 2007
  Come on, Liz. The IE isn't perfect yet, for e.g. some great newer javascript features don't working, but the IE is not responsible for everything, if your system isn't working ;) My tip is, try out an older version to see, if the new IE Version is really responsible for your failure.

• Anonymous
  August 15, 2007
  Today's email question is: "I wonder if you can help me. When I try to save a web address in

• Anonymous
  August 15, 2007
  @jack > How come I never get messages like this for Firefox, Opera or Safari? Cause you don't follow the development and release of updated versions for these browsers? Please feel free to read the release notes for the latest versions of these browsers ;-) Bye, Freudi

• Anonymous
  August 15, 2007
  Dear developers! Establish please these updatings.

• Anonymous
  August 16, 2007
  The comment has been removed

• Anonymous
  August 16, 2007
  Just an update to my last posting.  My problem is NOT a network issue.  I have verified full connectivity from this computer.  My XP (IE 6) computer that goes through the same router has not problems (yet?).

• Anonymous
  August 16, 2007
  Upon reboot from the update, IE7 cannot access web pages. Have tried assorted recommendations without success. Booted up in "safe Mode with network support" and IE7 can access web pages. So what does this mean?

• Anonymous
  August 16, 2007
  I applied the security patch and now IE 7 can't open a web page.  Many others are having the same issue look in the discussion groups

• Anonymous
  August 16, 2007
  I was wondering when I will be able to access the update site using something other than Microsoft's Internet Explorer.  Netscape is currenly running just find on my PC and IE has died in the connecting to server phase too many times for me to remember trying it.

• Anonymous
  August 16, 2007
  I was wondering Bug Tracking how development Bug Tracking of Internet Explorer 8 Bug Tracking is going? We haven't Bug Tracking seemed to hear much Bug Tracking information about what Bug Tracking is going to be Bug Tracking fixed in the next Bug Tracking version. Im also curious Bug Tracking if Microsoft has Bug Tracking considered how 2 way Bug Tracking communication with Bug Tracking the developer community Bug Tracking will be handled Bug Tracking in the near Bug Tracking future? Many of Bug Tracking us are starting to Bug Tracking think that the Bug Tracking promises of open Bug Tracking communication are taken Bug Tracking seriously. Im not sure Bug Tracking where the Internet Explorer Bug Tracking Team is thinking about right Bug Tracking now, but we do wonder if Bug Tracking they have taken some time to think about Bug Tracking how they intend to fix the Bug Tracking confidence level for developers building sites for IE. I would Bug Tracking seriously like to see some Bug Tracking more information about what plans Microsoft Bug Tracking has for fixing the current Bug Tracking situation. Angela R. was i subtle enough? ;P

• Anonymous
  August 16, 2007
  The comment has been removed

• Anonymous
  August 16, 2007
  @Angela R: I can't imagine anyone having enough time to try to read that mess. Let alone write it. Come on, developers. Anyone who has spent even a year programming knows how hard it is to get things done, passed through corporate, and approved by all the various committees. Trash-talking and messes like various posts above don't help things. Nobody seems to be professional anymore.  Least of all the developers who post trash on this blog.

• Anonymous
  August 16, 2007
  How come I never get messages like this for Firefox, Opera or Safari?

• Anonymous
  August 16, 2007
  The comment has been removed

• Anonymous
  August 17, 2007
  After installing the update package on XPSP2 and restarting my pc was rendered unusable. All of my startup apps threw errors, as did IE7...oh, and guess what?  So did System Restore!  I had to go into safe mode to perform a restore and backout the update. The event log shows multiple errors similar to the below entry - PLEASE HELP! The COM+ Event System raised an unexpected access violation at address 0x77129924, attempting to access address 0x00000007.  Please contact Microsoft Product Support Services to report this error. OLEAUT32!LoadTypeLib+0x1f3f OLEAUT32!LoadTypeLib+0x2350 OLEAUT32!LoadRegTypeLib+0x76 es!DllGetClassObject+0xb132 es!+0x12707 es!+0x12c32 es!DllGetClassObject+0x427a ole32!CreateGenericComposite+0x2c05 ole32!CreateGenericComposite+0x28d4 ole32!CreateGenericComposite+0x2b23 ole32!CreateGenericComposite+0x2a9a ole32!CoGetTreatAsClass+0xbe7 ole32!CoGetTreatAsClass+0xb9e ole32!CreateGenericComposite+0x2b84 ole32!CreateGenericComposite+0x28d4 ole32!CreateGenericComposite+0x286f ole32!CreateGenericComposite+0x28d4 ole32!CreateGenericComposite+0x2719 ole32!CoCreateInstanceEx+0x4f ole32!CoCreateInstanceEx+0x1e ole32!CoCreateInstance+0x34 sens!+0x2ff5 sens!+0x20aa ntdll!RtlUpcaseUnicodeString+0x159 ntdll!RtlUpcaseUnicodeString+0x197 ntdll!RtlUpcaseUnicodeString+0x259 ntdll!RtlUpcaseUnicodeString+0x230 kernel32!GetModuleFileNameA+0x1b4 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

• Anonymous
  August 17, 2007
  Two days in a row, I received updates for Vista OS and after the update, my internet explorer 7 failed to access the internet.  I uninstalled all updates on the first day and IE7 worked.   On the next day, I uninstalled the updates one at a time.  IE did not work until I uninstalled KB937143.  There is a problem with that update and I want to know If Microsoft is planning to fix this update?

• Anonymous
  August 17, 2007
  (I'm posting a comment a second time now because it doesn't appear to have worked the first time around.) When are we going to see a resolution to the fact that BUTTON tags still submit their innerText values instead of their VALUE attributes in forms? This has been a bug since IE5 and it still persists in IE7. In fact, it seems to have swept under the rug as it's been documented as apparently standard behavior in Internet Explorer: http://msdn2.microsoft.com/en-us/library/ms535211.aspx

• Anonymous
  August 17, 2007
  The comment has been removed

• Anonymous
  August 17, 2007
  PRIVACY BUG NOT FIXED. If you attempt to relocate the IE7 cache to a different directory or hard drive, IE7 loses track of where the cache is, and you can no longer clear the browser cache. If, like me, you don't keep the browser cache on the OS default partition (to minimize drive fragmentation), you cannot get rid of Google or Double-Click cookies - or any other cookie - to maintain some semblance of privacy. And if you try to move the cache back to the default location so you can clear it, IE7 still can't find it! You need to take personal privacy seriously, too.

• Anonymous
  August 17, 2007
  Would be nice if we all were as smart as some of you, but the fact is that at least one of the updates of 08-14 knocked me off the internet and the developers should be smart enough to let us know that they may confict with our firewalls.  Why blame the firewalls for an update that is incompatible.  At least warn us that we may have problems so that we can choose not to install these updates, or at least tell us how to set the firewalls to accept these changes.  Norton wants us to use Windows auto update and Microsoft wants us to install the updates, but why cause all of these problems.  Sometimes the fix is worse than the potential problem

• Anonymous
  August 17, 2007
  The comment has been removed

• Anonymous
  August 17, 2007
  @Russ This not an issue related to the Cumulative Update for IE KB937143, but possibly one related to KB921503 (MS07-043) dependend on your system's configuration and running applications/services in the background while appyling the update. Please indead contact PSS at Microsoft and open a call. Bye, Freudi

• Anonymous
  August 17, 2007
  I just saw a new version of IE is available on Versiontracker and I'm just curious if it's legit. The build number is: 7.00.6000.16512. Thanks!

• Anonymous
  August 17, 2007
  Howell, that's the version of iexplore.exe inculded in the Cumulative Update for IE7. Bye, Freudi

• Anonymous
  August 17, 2007
  Freudi, Thanks for getting back to me! I did a check on the version info under IE's properties in the Program Files folder and the version number matches up there. :) Thanks! Howell

• Anonymous
  August 18, 2007
  I don't know if there is a correct place for this comment -- didn't see anything obvious after poking around for a bit -- but this is an active thread, so here goes... One little irritation I have with IE7 is that when I close a tab, the new active tab is not the one I would expect.  Let's say I have 4 tabs open.  I'm on #2 (from left to right) and choose to open a link via the right-click "Open in New Tab".  My new tab becomes the new #3 tab.  When I'm done with it and close it, I want to be returned to my previous active tab, #2, but instead I'm on the old #3.  It's a small but frequent irritant for me.  Is there any way to change this behavior?

• Anonymous
  August 18, 2007
  I just got a notice that my IE6 XP Virtual PC image was expired.  So I cam here and discovered a new one is not out yet.  What's the deal?

• Anonymous
  August 18, 2007
  No news on the promised VPC images yet Joel. I'd watch PeteL's blog at http://blogs.msdn.com/petel/ for the latest news on that. I'm guessing they hit some sort of glitch posting them last week. Hopefully we'll see them shortly. -Dave

• Anonymous
  August 18, 2007
  Since loading the updates which include this IE security update, I cannot log into one user under Windows XP if another user is also logged on.  The only solution I have found is to restore my system prior to the point of downloading the update.  I have experienced the same problem on two different systems.  Has anyone else had this problem.  Is there a solution?

• Anonymous
  August 18, 2007
  The comment has been removed

• Anonymous
  August 19, 2007
  The comment has been removed

• Anonymous
  August 19, 2007
  The comment has been removed

• Anonymous
  August 19, 2007
  Freudi, Thanks for the feedback. I installed all patches and didn't know which one caused the break.  I am, however, skeptical that a VB related fix is the root cause of IE and System restore failing.  As in my last unfortunate experience with a problematic Windows update (which also required a system restore) I'll just wait until MS figures out what they've broken this time. Regards, Russ

• Anonymous
  August 19, 2007
  Russ, please contact MS's PSS and open a call with them, which should be free of charge. And yes, I'm still sure about KB937143 not beeing the cause of the issue your system ran into. And no, it's not a good idea to leave KB937143 (and the other updates) aside and waiting for something to happen which will not happen. At least read the Security Bulletins for these updates in the meantime ;) Bye, Freudi

• Anonymous
  August 19, 2007
  How come I never get messages like this for Firefox, Opera or Safari?

• Anonymous
  August 20, 2007
  There is never going to be an IE7 bug reporting system. If one was brought in it would highlight the lack of activity in fixing the new bugs. There is no proper development going on for IE8, why else is there a wall of silence when anyone raises this topic. Forget about all the great new features of javascript that you may be reading about introduced in firefox2 or upcoming firefox3. Some of these look great but I for one am not going to be spending any great amount of time to learn how to use them when the dominant browser has no support for them. The simple fact is Microsoft can and will stifle future web development and there is nothing anyone can really do about it, because the average user is not going to change to an alternative because W3 standards are better etc. I suspect Microsoft is placing its resources into vista sp1 and Silverlight.  

• Anonymous
  August 20, 2007
  Hi .., I want to permanantly hide my ie6 vertical scrollbar.. Is there any registry level settings?

• Anonymous
  August 20, 2007
  Installed the August IE7 updates this am.  Immediately IE would not open links to any, including trusted sites.  Shut off firewall (ZoneAlarm) and antivirus (Kaspersky) and links would still not open.  Uninstalled the 2 IE7 updates, and everything works fine. Tom Wirt claypot@hutchtel.net

• Anonymous
  August 20, 2007
  The comment has been removed

• Anonymous
  August 20, 2007
  I installed the 2 newest updates for IE7 and when i rebooted the computer internet explorer doesn't load any pages. it doesn't even attempt to load them. I uninstalled it and it worked fine but windows intrusiveness kept trying to update it again. I got home yesterday and windows updated it automatically and now my IE7 doesn't work. It's REALLY annoying when people keep saying it's the firewalls when it obviously isn't. I'm using Firefox right now but I would rather use IE7. This problem should be the first to be fixed.

• Anonymous
  August 20, 2007
  The comment has been removed

• Anonymous
  August 20, 2007
  The comment has been removed

• Anonymous
  August 20, 2007
  The comment has been removed

• Anonymous
  August 21, 2007
  On Sunday, August 19th I returned from a 9 day vacation and started up my computer using XP.  I was prompted to install several windows updates. (KB937143), KB938127), KB938829), (KB936021), (KB936782), (KB938828) and (KB921503).  Prior to installing these updates I checked my email and visited several website using Internet Explorer with no problems.  After installing all the updates I could not start my email client Mozilla Thunderbird and Internet Explorer would not load my earthlink home page.  Firefox worked fine.  I chatted with Earthlink Support and they said the firewall and antivirus software was not causing the problem.  After reading several posts on this blogg I see one fix was to remove update (KB937143) and someone else suggested disabling the pfishing filter.  I tried disabling the phishing filter and this did not resolve the issue.  I am using Earthlinks Security Software.  Does anyone have any more suggestions?  I have also tried to restore my settings to a previous date and that failed.

• Anonymous
  August 21, 2007
  The comment has been removed

• Anonymous
  August 21, 2007
  <<what would be so hard about setting a flag, of some kind, somewhere in IE7/8 to tell IE to obey the spec, and send the value, not the innerText.>> It wouldn't be hard at all.  But it would break the web.  So they don't do it.   What's confusing about that?

• Anonymous
  August 21, 2007
  Hi all.., I want to permanantly remove ie vertical scrollbar on my machine.. Is there any registry level settings? when i was googled i have got some info from msdn like HKEY_CURRENT_ USERSoftware Microsoft Internet ExplorerMain SBSizeV REG_DWORD value would be 0 But it won't work.. Any one can help me?

• Anonymous
  August 22, 2007
  I applied the security patch and now IE 7 can't open a web page.  Many others are having the same issue look in the discussion groups

• Anonymous
  August 22, 2007
  @arunkarthikeyan.m: Why would you want to do that? I don't believe there's any way to hide the scrollbar inside IE itself. The SBSizeV value you're seeing is for the Windows Mobile (WinCE, PocketPC, SmartPhone) version of IE.

• Anonymous
  August 22, 2007
  @Art You don't understand what omrak is saying. Right now, if you set a DOCTYPE, IE changes its rendering mode to "standards" (well, as best as IE suports at the moment). Likewise if there were a CC for new standards compliance, developers could set it, only when they specifically want. <!--[FollowSpec=true:HTMLFormButtonElement]--> Other browsers could (and would) ignore this, but for developers that want to use the button, with this method available, they could actually use the button as it was intended. The best part of this, it that it CAN'T break the web, because you have to explicitly set it. Better yet, you could set several, for key issues in IE. <!--[FollowSpec=true:HTMLFormButtonElement,DOMgetElementById,DOMgetElementByName]--> And thus, no broken web.

• Anonymous
  August 23, 2007
  I am lost!!! On all my computers running XP your recent update knocked out our Outlook. What do you suggest we do? Since this was our email service and used as well for our VOIP voice mail messages, we are in dire straights. Help!!!

• Anonymous
  August 25, 2007
  The Cumulative Update for IE KB937143 is preventing my IE7 from connecting to anything at all.  Firefox and Outlook work fine.  This started with all the Aug updates being automatically installed on my XP machine.  I find that just uninstalling KB937143 fixes the problem.  I've been talking to MS support via email and have tried any number of their suggestions without success, including turning off the firewall, resetting IE7 totally, and disabling all the add-ins.  Does anyone have a solution to this?  Or ideas of other things to try? thanks

• Anonymous
  August 27, 2007
  EricLaw Thanks this is for my desktop application... There is no SBSizeV register key on my winxp...registry When i was add this key there it won't take a effect