14 DAY TRIAL // Microsoft is well aware of the fact that the latest bunch of security patches it has made available for Internet Explorer manages to cripple the browser in specific situations, but strongly advices users to patch away. On December 11th, Microsoft patched a total of four vulnerabilities impacting various versions of Internet Explorer, including IE6 and IE7. Microsoft Security Bulletin MS07-069 - Cumulative Security Update, for Internet Explorer (942615), is labeled with a maximum severity rating of Critical, as the security holes it is designed to plug can potentially allow for remote code execution.
All four holes were privately reported to Microsoft. This means that proof of concept code for exploits or attacks have not targeted the flaws in the wild. Still, at the same time, with the release of the security bulletin, the risks increase for users that have not applied the update, as attackers have the possibility to reverse engineer the patches in order to discover the vulnerabilities and create exploits. This is, in fact, the reason why Microsoft wants IE users to patch their operating system. However, the security updates cause Internet Explorer 6 on Windows XP SP2 to crash. This is a major problem for Microsoft, as the vast majority of IE users, over 40%, are in fact still running IE6 on XP SP2.
"After downloading the Internet Explorer Cumulative Security Update for December 2007, some customers using IE6 on Windows XP Service Pack 2 have experienced an unexpected crash or hang upon launching Internet Explorer. This might occur while navigating to a website hosting considerable media content (for example: http://msn.com) resulting in Internet Explorer displaying a dialog that states 'Internet Explorer has experienced a problem and needs to close'. If you experience this issue, implement the applicable workaround provided in the following knowledge base article: Microsoft Knowledge Base article 946627", advised Terry McCoy, Program Manager, Internet Explorer Security.