Admins left to fix Microsoft's browser mess

From...

By By Joris Evers

(IDG) -- Microsoft's latest security patch for Internet Explorer (IE) causes the Web browser to crash when viewing Web pages that contain a certain VBScript directive, several IE users found. Microsoft has acknowledged the problem and says Web site administrators will need to take action.

"This issue does not pose a security threat to users. This issue affects stability. Normal operation can be restored by restarting IE," Microsoft said in a statement Friday.

IDG.net INFOCENTER InfoWorld Main Page InfoWorld Test Center Subscribe to InfoWorld Newsletters Infoworld Opinions and Spotlights Related IDG.net Stories IE flaw exploited for MSN Messenger worm Microsoft security patch said ineffective Microsoft battles old, new security holes with IE patch Features PC World.com Product Finder Bluetooth wireless connectivity set to take off DSL in distress Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

"Microsoft Product Support Services has been working with customers to implement a workaround that addresses a problem in which patched IE browsers could crash when viewing certain pages containing a specific VBScript directive."

The way to fix the problem in the short term will be to tweak the coding on Web pages that contain this directive, called the execScript directive, Microsoft said. However, Microsoft is working on an updated patch, but does not know when that will be released.

In postings to Microsoft's discussion groups, users had earlier pinpointed the execScript directive as the culprit.

"The workaround is one that site operators would implement on their ASP (Active Server Page) pages. End-users need not do anything," Microsoft said, adding that a knowledge base article explaining the issue and the workaround procedure will be posted to Microsoft.com shortly.

One Dutch IE user on Friday told the IDG News Service that his patched Web browser crashed when accessing the Web JetAdmin remote management tool for Hewlett-Packard printers.

"Sadly, the patch removes functionality in IE. I installed the patch on my IE 5 system, but removed it immediately by installing a complete new version of IE 6. The HP administrator page on our LAN did not work on the patched system, but did work on unpatched systems," said Jean van Laarhoven, systems manager for a part of Amsterdam's city government.

Internet advertising company DoubleClick told its customers in an e-mail not to install Microsoft's patch, a German DoubleClick user who asked for anonymity said. DoubleClick's ad management system is accessed through the Web and relies on scripting. This user and another DoubleClick user, who also requested anonymity, confirmed that IE crashed when they tried to access the DoubleClick system after patching their browser. Nobody at DoubleClick was immediately available for comment.

Microsoft released the "cumulative" patch that fixes six holes in IE versions 5.01, 5.5 and 6.0 on Monday. The software maker gave the patch a "critical" rating and urged all users to immediately install it. The set of patches fixes holes that could allow an attacker to take control over a user's computer.

Joris Evers is an Amsterdam correspondent for the IDG News Service, an InfoWorld affiliate.