Microsoft Corp.’s latest security patch for Internet Explorer (IE) causes the Web browser to crash when viewing Web pages that contain a certain VBScript directive, several IE users found. Microsoft has acknowledged the problem and says Web site administrators will need to take action.
“This issue does not pose a security threat to users. This issue affects stability. Normal operation can be restored by restarting IE,” Microsoft said in a statement Friday. “Microsoft Product Support Services has been working with customers to implement a workaround that addresses a problem in which patched IE browsers could crash when viewing certain pages containing a specific VBScript directive.”
The way to fix the problem in the short term will be to tweak the coding on Web pages that contain this directive, called the execScript directive, Microsoft said. However, Microsoft is working on an updated patch, but does not know when that will be released.
In postings to Microsoft’s discussion groups, users had earlier pinpointed the execScript directive as the culprit.
“The workaround is one that site operators would implement on their ASP (Active Server Page) pages. End-users need not do anything,” Microsoft said, adding that a knowledge base article explaining the issue and the workaround procedure will be posted to Microsoft.com shortly.
One Dutch IE user on Friday told the IDG News Service that his patched Web browser crashed when accessing the Web JetAdmin remote management tool for Hewlett-Packard Co. printers.
“Sadly, the patch removes functionality in IE. I installed the patch on my IE 5 system, but removed it immediately by installing a complete new version of IE 6. The HP administrator page on our LAN did not work on the patched system, but did work on unpatched systems,” said Jean van Laarhoven, systems manager for a part of Amsterdam’s city government.
Internet advertising company DoubleClick Inc. advised its customers in an e-mail not to install Microsoft’s patch, a DoubleClick spokeswoman said Friday. DoubleClick’s ad management system is accessed through the Web and relies on scripting. Two European DoubleClick users, who asked not to be named, confirmed that IE crashed when they tried to access the DoubleClick system after patching their browser.
Microsoft released the “cumulative” patch that fixes six holes in IE versions 5.01, 5.5 and 6.0 on Monday. The software maker gave the patch a “critical” rating and urged all users to immediately install it. The set of patches fixes holes that could allow an attacker to take control over a user’s computer.
The patch can be found on Microsoft’s TechNet Web site at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-005.asp
Microsoft, in Redmond, Wash., can be reached at http://www.microsoft.com/.
