Microsoft KB Archive/918899

= MS06-042: Cumulative security update for Internet Explorer =

Article ID: 918899

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003 SP1
 * Microsoft Windows XP Professional 64-Bit Edition (Itanium)
 * Microsoft Windows XP Service Pack 2
 * Microsoft Windows XP Service Pack 1
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Internet Explorer 5.01 Service Pack 4
 * Microsoft Internet Explorer 6.0 Service Pack 1
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0
 * Microsoft Internet Explorer 6.0

-



INTRODUCTION
Microsoft has released security bulletin MS06-042. The security bulletin contains all the relevant information about the security update. This information includes file manifest information and deployment options. To view the complete security bulletin, visit one of the following Microsoft Web sites:  Home users

http://www.microsoft.com/athome/security/update/bulletins/200608.mspx

 IT professionals

http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx



Known issues
 Microsoft released a new version of security update 918899 (MS06-042) on September 12, 2006. This new version addresses a vulnerability that affects customers who use Internet Explorer 6 Service Pack 1, Internet Explorer 5.01 Service Pack 4, and Internet Explorer 6 for Microsoft Windows Server 2003 customers. Customers who use these versions of Internet Explorer should apply the new update immediately. When you run a script on a Web page after you apply Internet Explorer cumulative security update 918899 (MS06-042), you receive an error message. This occurs on a Microsoft Windows XP-based computer or on a Microsoft Windows Server 2003-based computer. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

926046 Error message when you run a script on a Web page after you apply security update MS06-042 on a Windows XP-based computer or on a Windows Server 2003-based computer: &quot;Permission denied&quot;

 Microsoft Internet Explorer 6 unexpectedly exits when you visit a Web site that uses the HTTP 1.1 protocol and compression. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

923762 Internet Explorer 6 Service Pack 1 unexpectedly exits after you install the 918899 update

Microsoft released a new version of security update 918899 (MS06-042) on August 24, 2006. This new version addresses this problem for customers who use Internet Explorer 6 Service Pack 1. Only customers who use Internet Explorer 6 SP1 are affected. All other customers should continue their deployments of security update 918899.

To resolve this problem if you use Internet Explorer 6 SP 1, install the new security update 918899 (MS06-042) that was released August 24, 2006. When you visit a Web page that uses a custom pop-up object, Internet Explorer 6 closes unexpectedly with an error in Mshtml.dll. This issue occurs after you install security update 918899 on a computer that runs Microsoft Windows XP Service Pack 2 (SP2) or on a computer that runs Microsoft Windows Server 2003 Service Pack 1 (SP1). A hotfix is available if you are severely affected by this issue. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

923996 When you visit a Web page that uses a custom pop-up object, Internet Explorer 6 closes unexpectedly

 After you install this security update, Internet applications that rely on scripts in their pages may stop responding. This issue occurs because of a vulnerability in JScript. This issue has been resolved. The fix is included in the most recent JScript update. For more information about this update, click the following article number to view the article in the Microsoft Knowledge Base:

917344 MS06-023: Vulnerability in Microsoft JScript could allow remote code execution

</li> In Windows XP SP2 and in Windows Server 2003 with SP1, the Add or Remove Programs item in Control Panel lists software updates. This item lists software updates under the name of the product to which the updates apply. In Windows XP SP2, the Add or Remove Programs item lists this update under Windows XP - Software Updates. In Windows XP SP2, the Add or Remove Programs item does not show &quot;Installed On&quot; information for this update. Therefore, this update does not appear in the order of installation. Instead, this update appears at the top of the Windows XP – Software Updates list.</li> After you install this security update, chapters in some Windows Media High Definition Video (WMV HD) DVDs do not play when you click the chapters in Microsoft Windows Media Player. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

884487 A chapter does not play when you click it in some WMV HD DVD disks in Windows Media Player

</li> ActiveX controls may not load as expected in Internet Explorer. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

909889 ActiveX controls may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688 (MS05-052)

</li> A Web page that contains an ActiveX control may not load as expected in Internet Explorer. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

909738 A Web page that contains a custom ActiveX control may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688 (MS05-052)

</li> Internet Explorer no longer supports the use of monikers. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

906294 The use of monikers is no longer supported in Internet Explorer after installing the security updates provided by cumulative security update 896727 (MS05-038)

</li> Certain controls prompt before they are loaded.

Note This issue occurs on Web sites that do not use recommended techniques. For information about recommended techniques that resolve this issue, visit the following Microsoft Web site:

http://msdn.microsoft.com/ieupdate

When certain controls are loaded on a Web page, the controls are not correctly masked by the functionality of this update. These controls include controls that are used in Macromedia Shockwave Director, in Apple QuickTime Player, and in Virtools Web Player. When Windows determines that a control is inactive, the system prompts the user before the control is loaded.</li> There are issues that concern certain Siebel programs that use ActiveX controls.

Security update 918899 affects all Siebel 7 High Interactive customers. After you apply this update, you must click several times to interact with the Siebel program. You must click one time for each ActiveX control in the program. Siebel is working with Microsoft to identify a solution. A Siebel product update is expected to be released in the spring of 2006. For more information about Siebel product updates, visit the following Siebel SupportWeb Web site:

https://ebusiness.siebel.com/supportweb

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

</li> There are certain ActiveX controls that use Java Platform, Standard Edition 1.3 or that use Java Platform, Standard Edition 1.4.

After you click an ActiveX applet control in a program that runs the applet control by using Java Platform, Standard Edition (J2SE) 1.3 or Java Platform, J2SE 1.4, the focus does not shift to the applet control. You must click the control again to establish focus. The focus behavior works correctly in J2SE 1.5. To obtain the latest version of J2SE, visit the following Sun Microsystems, Inc. Web site:

http://java.sun.com/j2se

For techniques that you can use to make sure that ActiveX controls function without user interaction, visit the following Microsoft Web site:

http://msdn.microsoft.com/ieupdate

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.</li> The cumulative security update 918889 includes the security fixes that are documented in security bulletin MS06-042.

Cumulative security update 910620 includes the security fixes that are documented in security bulletin MS06-004. The update rollup also includes hotfixes for Internet Explorer that have been released after the release of security bulletin MS04-004 and after the release of security bulletin MS04-038.</li> If you want to install update rollup 873377, update rollup 889669, an Internet Explorer hotfix that was released after security bulletin MS04-038, or the hotfixes that are included in update rollup 896727, you must follow the instructions in Microsoft Knowledge Base article 897225. Otherwise, all Internet Explorer hotfixes that you have installed are removed.

897225 How to install hotfixes that are included in cumulative security updates for Internet Explorer 6 Service Pack 1

</li></ul>

Additional query words: update security_patch security_update security bug flaw vulnerability malicious attacker exploit registry unauthenticated buffer overrun overflow specially-formed scope specially-crafted denial of service DoS TSE WinNT Win2000

Keywords: kbbug kbfix kbsecvulnerability kbqfe kbsecurity kbsecbulletin kbpubtypekc kbwinserv2003sp2fix KB918899

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.