MS10-090: Cumulative security update for Internet Explorer

Microsoft has released security bulletin MS10-090. To view the complete security bulletin, visit one of the following Microsoft websites:

• Home users:
  http://www.microsoft.com/security/updates/bulletins/201012.aspx

  (http://www.microsoft.com/security/updates/bulletins/201012.aspx)
  Skip the details: Download the updates for your home computer or laptop from the Microsoft Update website now:
  http://update.microsoft.com/microsoftupdate/

  (http://update.microsoft.com/microsoftupdate/)
• IT professionals:
  http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx

  (http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx)

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Known issues with this security update

Note The following issues are resolved by security update 2482017. For more information, click the following article number to view the article in the Microsoft Knowledge Base: After you install this security update, you may also have to install update 2467659. To determine whether you have to install update 2467659, review the known issues in the following list:

• This security update contains a fix that turns off the automatic detection of Japanese Industrial Standard (JIS) encoding. However, some software uses a component in Internet Explorer to interpret Japanese email messages that are in HTML format. Therefore, the content of the email message may be displayed in unreadable code. This issue occurs because the JIS encoding is not automatically detected. To resolve this issue, install update 2467659
  (http://support.microsoft.com/kb/2467659)
  .
• When you print or view the Print Preview page of an affected webpage in Internet Explorer, garbled characters may appear on the Print Preview and on the printed documents. This issue occurs even if you press F5 to reload the website.
• After you install this security update, you may be prompted to install this security update again when you scan the system by using Windows Update, Microsoft Update, Microsoft Windows Server Update Services (WSUS) server or Microsoft Baseline Security Analyzer (MBSA). This issue may occur if you installed this security update, but you have not installed update 2467659. To resolve this issue, approve the installation of update 2467659 in WSUS or install update 2467659
  (http://support.microsoft.com/kb/2467659)
  from Windows Update, Microsoft Update or from the Microsoft Download center.
• After you install this security update, some Japan Industrial Standard (JIS) websites may not appear correctly in Internet Explorer. This issue can occur if the JIS-based website does not specify JIS encoding in the HTTP headers. For example, the website only specifies JIS in a Meta tag.
  
  To work around this issue, use one of the following methods:

  Server-side workaround

  To work around this problem from the server-side, the website's administrator can configure the webpage to use the following HTTP header:
  

  Content-Type: text/html;charset=iso-2022-jp

  
  
  

  Client-side workarounds

  Use either of the following methods on the client computer to work around this issue:
  • To work around this issue while you are viewing the website, press F5 to refresh the page.
  • Alternatively, you can delete the Iexplore.exe and explore.exe registry DWORD entries from the registry on the client computer to unblock the JIS auto-detection.
    
    Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk. Specifically, if you delete the Iexplore.exe and explore.exe registry DWORD entries, the system may be more vulnerable to the security issues that are described in CVE-2010-3342 and CVE-2010-3348. For more information, see the following security bulletin:
    http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx

    (http://www.microsoft.com/technet/security/bulletin/MS10-090.mspx)
    The security bulletin provides more information about the issue in the following sections:
    • Cross-Domain Information Disclosure Vulnerability - CVE-2010-3342
    • Cross-Domain Information Disclosure Vulnerability - CVE-2010-3348
    This information includes the following:
    • Mitigating Factors
    • Workarounds
    • FAQ
    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756

    (http://support.microsoft.com/kb/322756/ )

    How to back up and restore the registry in Windows
    
    To delete the Iexplore.exe and Explore.exe registry DWORD entries, follow these steps:
    1. Click Start
       Collapse this imageExpand this image

       
       , type regedit in the Start Search box, and then click regedit.exe in the Programs list.
       
       
       Collapse this imageExpand this image

       
       If you are prompted for an administrator password or confirmation, type your password or click Continue.
    2. Locate and then click the following subkey in the registry:
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_ISO_2022_JP_SNIFFING
    3. Right-click Iexplore.exe, and then click Delete.
    4. Click Yes to verify.
    5. Right-click Explore.exe, and then click Delete.
    6. Click Yes to verify.
    7. Exit Registry Editor, and then restart the computer.
    For more information about the FEATURE_DISABLE_ISO_2022_JP_SNIFFING registry subkey, see the following article in the Microsoft Knowledge Base:
    2467659

    (http://support.microsoft.com/kb/2467659/ )

    An update is available for Internet Explorer: December 14, 2010

Update 2467659

For more information about update 2467659, click the following article number to view the article in the Microsoft Knowledge Base: To install update 2467659, visit the following Microsoft website:

Non-security-related fixes that are included in this security update

General distribution release (GDR) fixes

Individual updates may not be installed, depending on the version of Windows and the version of the affected application. Please view the individual articles to determine your update status.

Hotfixes

Security update 2416400 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 2416400 installs the GDR files.

Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems.

These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. For more information about how to install the hotfixes that are included in security update 2416400, click the following article number to view the article in the Microsoft Knowledge Base:
Note In addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix.

For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base:

The Fix it solutions that are described in this section are not intended to be replacements for any security updates. We recommend that you always install the latest security updates. However, we offer the Fix it solutions as workaround options for some scenarios. These Fix it solutions help to resolve the security issue described in CVE-2010-3962. For more information about the security issue and the workarounds, visit the following Microsoft Security Bulletin webpage: The security bulletin provides more information about the issue in the "Uninitialized Memory Corruption Vulnerability - CVE-2010-3962" section. This information includes the following:

• Mitigating Factors
• Workarounds
• FAQ

Two Fix it solutions are available:

• Fix it solution for the user-defined CSS
  A Fix it solution is available that enables supported versions of Internet Explorer to override a website's cascading style sheets style by using a custom CSS for formatting documents.
  
  To remove the user-defined CSS and to restore the original settings, click the Fix it button or link under the Remove User-Defined CSS heading in the "Fix it solution for the user-defined CSS" section.
  
• Fix it solution for Data Execution Prevention in Internet Explorer 7
  We have created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer that support DEP.
  
  To install this application compatibility database, click the Fix it button in the "Fix it solution for Data Execution Prevention in Internet Explorer 7" section.

Fix it solution for the user-defined CSS

To enable or to disable the user-defined CSS workaround automatically, click the Fix it button or link under the Apply User-Defined CSS heading or under the Remove User-Defined CSS heading. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.

Notes

• These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
• If you are not logged on to the computer that has the problem, you can save the automatic fix to a flash drive or to a CD and then run the automatic fix on the computer that has the problem.
• If you decide not to install the current security update and instead choose to use the workaround that is described in security bulletin MS10-090, you can click the Fix it button to enable or to disable applying the user-defined CSS.

Known issues with the Fix it solution for the user-defined CSS

• In some scenarios, Group policy may block this Fix it solution from being installed on systems that are running Windows Server 2008 or Windows Server 2008 R2. When the issue occurs, you may receive an error message that resembles the following:
  
  The system administrator has set policies to prevent this installation.
  
  Contact the system administrator for more information about how to change the policy to allow the installation.
• You may be unable to install this fixit solution if a Styles registry subkey exists in the following location in the registry:
  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
  To resolve this issue, remove the Styles registry subkey, and then install the Fix it.
  
  Note you can export the Styles registry subkey, and then re-import the key after you install the fixit solution. To do this, follow these steps:
  1. Right-click the Styles registry subkey, and then click Export.
  2. Type a name for the temporary .REG file, and then save it to the desktop.
  3. Right-click the Styles registry subkey, and then click Delete key. Click Yes to verify.
  4. Install the fixit solution.
  5. Double-click the temporary .REG file that you saved on the desktop to import the registry subkey. Click Yes to verify.

Fix it solution for Data Execution Prevention in Internet Explorer 7

To enable or to disable DEP automatically in Internet Explorer 7, click the Fix it button or link. Click Run in the File Download dialog box, and then follow the steps in the Fix it wizard.
Notes

• You do not have to have this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3), on Windows Vista SP1, or on later versions of Windows. This is because Internet Explorer 8 opts-in to DEP by default on these platforms.
• If you decide not to install the current security update and instead decide to use the workaround that is described in MS10-018, you can click the Fix it button to enable or to disable DEP. Then, click Run in the File Download dialog box, and follow the steps in the wizard.
• These wizards may be in English only. However, the automatic fixes also work for other language versions of Windows.
• If you are not logged on to the computer that has the problem, you can save the Fix it solution to a flash drive or to a CD and then run the Fix it solution on the computer that has the problem.
• For this workaround to be effective, your processor must support hardware-enforced DEP. For more information about how to determine whether your system supports hardware-enforced DEP, click the following article number to view the article in the Microsoft Knowledge Base:
  912923

  (http://support.microsoft.com/kb/912923/ )

  How to determine that hardware DEP is available and configured on your computer

For a list of files that are provided within these packages, click the following link: If you are not sure which version of Windows that you are running or whether it is a 32-bit version or 64-bit version, open System Information (Msinfo32.exe), and review the value that is listed for System Type.
You must know which kind of processor platform (x86-based, x64-based, or Itanium-based) that you have. Most users have x86-based processors. If you are not sure which kind of processor platform you have, install the x86-based update on the computer. To do this, follow these steps:

1. Click Start, and then click Run, or click Start Search.
2. Type msinfo32.exe and then press ENTER.
3. In System Information, review the value for System Type.
   • For 32-bit editions of Windows, the System Type value is x86-based PC.
   • For 64-bit editions of Windows, the System Type value is x64-based PC.

For more information about how to determine whether you are running a 32-bit or 64-bit edition of Windows, click the following article number to view the article in the Microsoft Knowledge Base: