About a week ago I started receiving emails from vendors warning that if the upcoming Internet Explorer patch was installed it would break all of their applications. Some of the emails were fairly detailed and even explained that once the patch was installed there was no going back since it could not be uninstalled. I had not heard of anything prior to the emails but figured this month was going to be extra painful.
When reading the details for MS06-013 it becomes clear real quick that something is a bit off on this one when you get to the Caveats section.
From Microsoft’s website:
Caveats: Microsoft Knowledge Base Article 912812 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912812. […] Compatibility Patch – To help enterprise customers who need more time to prepare for the ActiveX update changes discussed in Microsoft Knowledge Base Article 912945 and included in Microsoft Security Bulletin MS06-013, Microsoft is releasing a Compatibility Patch on April 11, 2006. As soon as it is deployed, the Compatibility Patch will temporarily return Internet Explorer to the previous functionality for handling ActiveX controls. This Compatibility Patch will function until an Internet Explorer update is released as part of the June update cycle, at which time the changes to the way Internet Explorer handles ActiveX controls will be permanent. This compatibility patch may require an additional restart for systems it is deployed on. For more information, see Microsoft Knowledge Base Article 917425.
It appears that Microsoft has packaged a non-security update with the “Cumulative Security Update” that is going to change the way ActiveX controls work in order to circumvent a recent patent lawsuit. The spin on this being included in the patch appears to be increased ActiveX security.
The bottom line is that if you want to patch Internet Explorer this month you also are going to have a good chance of breaking quite a few applications as these other change has been packaged with the update. It appears to be impossible to get a patch that just corrects the vulnerabilities. Ah, but there is some hope as Microsoft did release that “Compatibility Patch” that will give you until June to fix everything!
What am I missing here?
Here is a good article that explains the issues.