Re: Microsoft Security Bulletin MS04-038 - Cumulative Security Update for Internet Explorer (834707)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/15/04

  • Next message: Russ Cooper: "Administrivia #29691: TruSecure Global Risk Index Survey"
    Date:         Fri, 15 Oct 2004 09:49:47 -0400

    The caveat in MS04-038 has caused some confusion. It states;

    "This update may not include hotfixes that have been released since the release of MS04-004 or MS04-025. Customers who have received hotfixes from Microsoft or from their support providers since the release of MS04-004 or MS04-025 should review the FAQ section for this update to determine how this update might affect their operating systems."


    "When you install one or more of the MS04-038 security updates for Internet Explorer 6 SP1, Internet Explorer hotfixes released since MS04-004 will be removed if the hotfix replaced one or more of the files listed in the "Security Update Information" section of Microsoft security bulletin MS04-038."

    This led some to wonder if MS04-038 was truly cumulative. Here's my best explanation, hopefully in line with information I received from MSRC.

    After MS04-004 was released, it seems that the IE Team started approaching security fixes from the perspective that code does not change. IOWs, when they started working on the next cumulative security update for IE after MS04-004 (those released in MS04-025), they ignored other (non-security) fixes for IE that may have been released after MS04-004.

    QFE Hotfixes (other fixes) are often released to address non-security issues between Service Packs. Historically, they aren't fully regression tested and often require you to contact Microsoft PSS to obtain them (so PSS can ensure it truly addresses the problem you have.) Eventually everyone gets them as part of the next Service Pack.

    By freezing the code at MS04-004, the IE Team might be able to have better beta testing done on the next cumulative security update for IE, or, can at least provide different discoverers with consistent code to test to verify the security issue is resolved. When a QFE is done, it is typically done with whatever the latest build of the component happens to be, so it may or may not include security fixes that are being worked on.

    So when it comes time to release the cumulative security update for IE, there now might be two (or more) versions of some/many components. Since the QFE Hotfixes aren't necessarily fully supported, and the security fixes are, it seems the IE Team have decided to simultaneously release two Updates.

    - The Cumulative Security Update for IE contains only the security fixes since the last cumulative update.

    - The Update Rollup for IE contains both the security fixes, and all QFE Hotfixes which were released.

    You don't need to apply both, either will suffice from a security perspective as both contain all of the security fixes to date. If you didn't need a QFE Hotfix, then you don't need the Update Rollup for IE.

    Windows Update and Automatic Updates offer up the Cumulative Security Update for IE, the Update Rollup for IE can only be obtained via the Download Center.

    As such, clients which have obtained QFE Hotfixes since MS04-004 and got MS04-025 or MS04-038 via WU/AU (or any distribution derived from those sites) may now demonstrate the problems that the QFE Hotfix corrected. Such systems need the Update Rollup for IE.

    I hope this clears things up somewhat. You'd think that Microsoft could build this into detection methods used by WU/AU/SUS so that it wouldn't be an issue (iows, you have a QFE Hotfix version of some IE component, so give you the Update Rollup instead of the Cumulative Security Update), but alas, not yet. We can hope it may be part of a future enhancement.

    Russ - Senior Scientist/NTBugtraq Editor
    TruSecure Corporation

    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Russ Cooper: "Administrivia #29691: TruSecure Global Risk Index Survey"