MS09-014: Cumulative security update for Internet Explorer

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.
The update that this article describes has been replaced by a newer update. To resolve this problem, install the most current cumulative security update for Internet Explorer. To install the most current update, visit the following Microsoft Web site: For more technical information about the most current cumulative security update for Internet Explorer, visit the following Microsoft Web site:

INTRODUCTION

Microsoft has released security bulletin MS09-014. To view the complete security bulletin, visit one of the following Microsoft Web sites:

How to obtain help and support for this security update


Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

More Information

Known issues with this security update

  • After you install this update on a computer that is running Windows Small Business Server 2003 with Service Pack 2, when you use Internet Explorer to access the http://companyweb Web page, you may be prompted to provide your credentials. After you provide your credentials and then click OK for the third time, you receive the following error message:


    HTTP 401.1 - Unauthorized


    To resolve this problem, install hotfix 961143. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    961143 Error message when you access the http://companyweb Web site in Windows Small Business Server 2003: "HTTP 401.1 - Unauthorized"
    This issue is discussed in the CSS Security MS09-014 Bulletin FAQ.
  • After you install this update on a computer that is running Internet Explorer 6, Internet Explorer may close unexpectedly (crash) when you visit a Web site that contains a Microsoft Foundation Classes (MFC)-based ActiveX control. The crash is most likely to occur when you refresh (press F5) or close the Web page. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
    971131 Internet Explorer 6 may crash if you visit a Web site that contains an MFC ActiveX control after you install MS09-014
  • When a client tries to connect to an HTTP server that is running on a local system by using NTLM authentication and IPv6 addresses, the client receives the following error message:

    Connection Denied
    This problem occurs because of a known issue in the underlying NTLM provider. The provider does not recognize IPv6 addresses in the local context.



    Workaround



    There are two methods to work around this issue. Use one of the following methods, as appropriate for your situation.





    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
    322756 How to back up and restore the registry in Windows

    Method 1: Specify host names (the preferred method for NTLM authentication)

    To specify the host names that are mapped to the loopback address and can connect to websites on your computer, follow these steps:

    1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    2. Click Start, click Run, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
    4. Right-click MSV1_0, point to New, and then click Multi-String Value.
    5. Type BackConnectionHostNames, and then press ENTER.
    6. Right-click BackConnectionHostNames, and then click Modify.
    7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
    8. Exit Registry Editor, and then restart the IISAdmin service.

    Method 2: Disable the loopback check (the less-recommended method)

    Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.


    The second method is to disable the loopback check by setting the DisableLoopbackCheck registry entry.

    To set the DisableLoopbackCheck registry key, follow these steps:

    1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
      281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
    2. Click Start, click Run, type regedit, and then click OK.
    3. In Registry Editor, locate and then click the following registry key:
      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    4. Right-click Lsa, point to New, and then click DWORD Value.
    5. Type DisableLoopbackCheck, and then press ENTER.
    6. Right-click DisableLoopbackCheck, and then click Modify.
    7. In the Value data box, type 1, and then click OK.
    8. Exit Registry Editor, and then restart your computer.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:

896861 You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6

Non-security-related fixes that are included in this security update

General distribution release (GDR) fixes

Individual updates may not be installed depending on the version of Windows and the version of the affected application. Please view the individual articles to determine your update status.
Article numberArticle title
944395 After you install security update 916281, Internet Explorer goes into an endless loop when you browse a Web page that contains a <meta http-equiv="REFRESH"> tag
952731 When you copy a table from Lotus Notes into a Rich Text Editor within Internet Explorer, Internet Explorer closes unexpectedly
969234 After you install security update 956390, Internet Explorer stops responding when you click an image to remove it
300895 BUG: Session ID Lost When New Window Opened
944520 After you reapply Internet Explorer Maintenance Group Policy settings on a computer that has Internet Explorer 7 installed, a pop-up blocker exception site that you manually added is missing
948030 Internet Explorer Maintenance-related Group Policy results are not displayed correctly in Group Policy Management Console on a Windows Vista-based computer
967941 Navigation is canceled when you browse to Web pages that are in different Internet Explorer security zones

Hotfixes

Security update 963027 packages for Windows XP and for Windows Server 2003 include Internet Explorer hotfix files and general distribution release (GDR) files. If no existing Internet Explorer files are from the hotfix environment, security update 963027 installs the GDR files.

Hotfixes are intended to correct only the problems that are described in the Microsoft Knowledge Base articles that are associated with the hotfixes. Apply hotfixes only to systems that are experiencing these specific problems.

These hotfixes may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains these hotfixes. For more information about how to install the hotfixes that are included in security update 963027, click the following article number to view the article in the Microsoft Knowledge Base:
897225 How to install hotfixes that are included in cumulative security updates for Internet Explorer
NoteIn addition to installing hotfix files, review the Microsoft Knowledge Base article that is associated with the specific hotfix that you have to install to determine the registry modification that is required to enable that specific hotfix.

For more information about how to determine whether your existing Internet Explorer files are from the hotfix or from the GDR environment, click the following article number to view the article in the Microsoft Knowledge Base:
824994 Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages

Update versions for beta products

The following files are available for download from the Microsoft Download Center:

Security Update for Internet Explorer 8 in Windows 7 Client Beta

Download Download the package now.

Security Update for Internet Explorer 8 in Windows 7 Server Beta 64-bit Itanium Edition

Download Download the package now.

Security Update for Internet Explorer 8 in Windows 7 Client Beta for x64-based Systems

Download Download the package now.

Security Update for Internet Explorer 8 in Windows 7 Server Beta for x64-based Systems

Download Download the package now.

Security Update for Internet Explorer 7 in Windows Server 2008 64-bit Itanium Edition

Download Download the package now.

Security Update for Internet Explorer 7 in Windows Server 2008 Service Pack 2 Release Candidate

Download Download the package now.

Security Update for Internet Explorer 7 in Windows Server 2008 Service Pack 2 Release Candidate x64 Edition

Download Download the package now.

Security Update for Internet Explorer 7 in Windows Vista Service Pack 2 Release Candidate

Download Download the package now.

Security Update for Internet Explorer 7 in Windows Vista Service Pack 2 Release Candidate x64 Edition

Download Download the package now.

Release Date: April 14, 2009

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

FILE INFORMATION

ERROR: PhantomJS timeout occurred