Security Watch

Keeping Track of patches and hacks in the IT security world.

Buggy IE Patch Kills IE on MSN; Fix Available


Microsoft has done an impressive job of improving the quality of its security updates in recent years (yes, it used to be bad), but a new issue with a buggy Internet Explorer patch has become a big embarrassment for Redmond.

Just days after shipping MS07-069 with patches for multiple critical vulnerabilities, Microsoft's security response team confirmed that a "small number of customers" were having problems loading the browser after applying the update.

"Specifically, on a Windows XP Service Pack 2-based computer, Internet Explorer 6 may stop responding when you try to a visit a Web site."

Although it's not considered a widespread issue, Microsoft released two knowledge base articles (KB942615 and KB946627) to help mitigate the problems.

The browser crashes have been reported on Web sites choked with multimedia content, including Microsoft's own MSN portal (see this screenshot).

The only mitigation guidance from Microsoft is a registry fix that's too complicated (and rarely recommended) for the average Joe and near impossible to apply at businesses with hundreds of workstations.

Thanks to Jesper Johansson, a former Microsoft security strategist, there's now an automated way to deploy the registry edit workaround.

Johansson explains:

"I wrapped the required registry key in a Windows Installer program, attached to this post. The installer only sets the registry key. However, for a home user it is much simpler to double-click on an installer than navigating through the registry. For an enterprise, since it is an MSI file, it can be deployed with Group Policy to all affected computers. The best part is that it is completely uninstallable through Add/Remove Programs."

It's important to note that the original IE patch does fix the vulnerabilities documented in the bulletin and users unaffected by the glitch should ensure that the patch is applied immediately.