A defense-in-depth change to the functionality of Microsoft Corp.s Internet Explorer browser is causing problems for Web sites that use custom ActiveX controls.
The MSRC (Microsoft Security Response Center) posted revisions to the last two IE security bulletins—MS05-038 and MS05-052—to explain the reasons why some Web sites are not loading after the IE patches are installed.
Both bulletins included cumulative patches to cover “critical” IE vulnerabilities but because of Microsofts deliberate strategy to make defense-in-depth design changes to harden the browser, some customers are experiencing problems, the software giant said.
“These [defense-in-depth] changes were done mostly for security reasons, removing potentially unsafe functionality and making changes to how Internet Explorer handles ActiveX controls,” said program manager Stephen Toulouse in a posting to the MSRC Blog.
Defense-in-depth is an engineering solution that adopts a multilayered approach to solving a specific problem. In Microsofts case, when a security patch is being created, the company usually applies functionality tweaks to the vulnerable software to provide more comprehensive defense to various threats.
In some cases, those tweaks cause problems, especially for Web sites or customers that create custom applications for Microsoft software.
Toulouse explained that the IE changes were made “for security sake,” and noted that the Web page loading problems only affect a limited number of customers.
Microsoft has struggled mightily with the quality of its security patches, regularly re-releasing problematic updates to quell customer complaints. For example, a recent third-party advisory detailed a fundamental mistake made by Microsoft that caused a security patch to ship without an adequate fix for the flaw it was meant to address.
However, in this latest case of the Internet Explorer patch, the hiccups are caused by a deliberate attempt to change the way the browser works.
The company said the MS05-052 update now introduces additional checks before a COM (Component Object Model) object can run in IE.
“The intent of this change is to prevent COM objects that were not designed to be instantiated in Internet Explorer from being instantiated,” Microsoft explained. Another checked introduced with the patch is that the browser now checks for the “IObjectSafety” interface for ActiveX controls in the Internet zone before a COM object can run in Internet Explorer.
With the updated bulletins, Microsoft has published Knowledge Base articles (here and here) to explain why the problems occur and guidance on how the changes can be rolled back.
Editors Note: This story was updated to include information on recent quality issues with Microsoft patches and to clarify the companys intent with this patch.