IE Cumulative Security Update Now Available

January 21st, 2010

Today we released a Cumulative Security Update for Internet Explorer.  We’ve released this Cumulative Security Update earlier than originally scheduled based on malicious activities reported on the web. The update is available via Windows Update and Microsoft Update. Most users configure their machines to update automatically; you can find more information on that here.

This update actually includes 236 separate packages for all the different languages and versions of Windows and IE that customers run and Microsoft supports worldwide. We release these packages simultaneously for all supported products and languages as part of this update. The complete matrix of browsers, operating systems, and languages is available in the security bulletin. At a high level, these packages cover:

  • Seven operating system versions: Windows 2000, Windows XP, Windows Server 2003, 2008, and 2008 R2, Windows Vista and Windows 7. Customers run 32-bit, 64-bit, as well as Itanium versions of some of these operating systems, as well as a variety of different service packs.
  • Four different versions of IE: 5.01, 6, 7, and 8.
  • All supported languages. Older versions of Windows require separate language-specific packages, typically between 18 and 25. Windows Vista and later operating systems have a single language-neutral binary to update IE.

We test each security fix thoroughly with different variants of the security issue. We also test the entire package extensively for compatibility and reliability, as well as any setup, deployment, and manageability issues. Also, security updates are cumulative and contain all previously released updates for each version of Internet Explorer, to make securing any system (one updated a month ago or never updated at all) easy.

This update addresses several vulnerabilities including the one described here. Other blog posts describe specifics. Some of these vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.  Note that IE8 users on Windows 7 have extensive defense in depth protections with DEP, ASLR, and protected mode that make remote code execution from a malicious site extremely difficult.  Microsoft therefore strongly recommends customers upgrade to IE8 to benefit from these extensive defense in depth protections.

For detailed information on the contents of this update, please see the following documentation:

We encourage everyone to set their operating system to automatically update with the latest security updates for all their software. You can find more information here.

Dean Hachamovitch

IE General Manager