Microsoft Sparks Backlash By Tying Internet Explorer Changes To Security Patch - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:27 PM

Microsoft Sparks Backlash By Tying Internet Explorer Changes To Security Patch

Security vendors say the security patch that Microsoft released on Tuesday will break the browser for some users.

By packaging a functionality change for Internet Explorer with a needed security update, Microsoft has alienated some IT pros, security vendors complained Wednesday.

Along with the 10 patches in Tuesday's MS06-013 security bulletin, Microsoft bundled changes to IE's handling of ActiveX controls. Those changes, which were prompted by a 2003 $521 million judgment against Microsoft in a patent lawsuit brought by Eolas Technologies Inc. and the University of California, will require users to manually activate controls on some sites.

"Microsoft often bundles non-security-related code in security updates," said Mike Murray, director of research at vulnerability management vendor nCircle. "Little optimizations and that kind of thing. But I don't remember them ever bundling a functionality update or, as in this case, removing functionality, with a security bulletin."

The inclusion of the ActiveX changes "makes everything a mess" for companies deploying and testing Microsoft's monthly patches, Murray said. "I've talked to some of our customers, and they're at the point where they're pulling out their hair.

Instead, Microsoft should have separated the IE ActiveX changes from the security fixes. "They easily could have deployed it as a separate patch or rolled it into a service pack," said Murray.

In late March, Mike Nash, Microsoft's head of security, gave administrators a heads-up that the ActiveX changes would be coming April 11 and would be blended with the security update. At that time, his explanation for the bundling was that " in order to reduce the complexity of updates and to improve quality, we ship all IE updates as cumulative updates."

On Wednesday, a Microsoft spokesman went into more detail.

"While Microsoft tries to minimize the amount of non-security updates that go out with the regularly scheduled security updates, occasionally changes are permanently made to the Windows source code and therefore are picked up in the subsequent security update that installs the affected files," he said. "This particular change falls in that category."

He also hinted that the decision to roll the change into the security update was made in consultation with customers and partners, and after talking with them, the company concluded that this approach was the easiest to implement.

"Microsoft has been working with its customers and partners on the IE ActiveX update since early December 2005, and has been actively soliciting customer feedback on how to make this process as easy as possible," he said.

Microsoft has posted a "compatibility patch" to delay the court-mandated changes to IE until June 13, that month's scheduled bulletin release date, when the changes will be made permanent.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll