Microsoft automates IE crash snafu workaround
IE6 crashes only on Windows XP SP2 systems that had hot fixes applied earlier, company says
December 21, 2007 (Computerworld) -- Microsoft Corp. posted an automated fix late yesterday for a week-old crippling problem with Internet Explorer, replacing a registry hack it had offered Wednesday.
The new 476KB work-around can be downloaded manually from Microsoft's Web site, and will be pushed to users via Windows Update as well, according to the company.
"It has also been made available via Windows Update and Automatic Update for all Internet Explorer 6 customers on Windows XP Service Pack 2," said Kieron Shorrock, the IE program manager at Microsoft's Security Response Center (MSRC), in an entry on the center's blog yesterday.
The work-around came more than a week after users installed Security Update MS07-069 on Dec. 11, and immediately began reporting that they were unable to connect to the Internet with IE or that the browser kept crashing. MS07-069, one of seven bulletins issued that day, fixed four critical vulnerabilities in IE 5.01, IE6 and IE7.
On Wednesday, Microsoft acknowledged the problem and posted work-around instructions that required users to edit the Windows registry, a chore beyond most users. That drew immediate cries from people posting comments on the IE development team's blog, who demanded that Microsoft issue an easier-to-deploy fix, or better yet, simply re-release the MS07-069 bulletin.
Microsoft has also provided more clues about why some users' browsers have crashed repeatedly while others have reported no troubles.
When asked to clarify a statement by Shorrock on Wednesday that the issue appeared only on "a customized installation" of IE6, a company spokesman said that only PCs that had previously had a hotfix obtained directly from Microsoft were affected. "Customers who use QFE [quick fix engineering] Binary are affected by the issue in Knowledge Base Article 942615," the spokesman said. "The QFE binary tree is used by those who have previously received a hotfix directly from Microsoft."
One IT administrator applauded the work-around replacement. "This seems better if they can deliver it through Windows Update," said Harold Decker, operations manager at San Diego-based Gold Peak Industries NA Inc., who oversees 35 Windows XP SP2 machines. Even so, Decker said Microsoft needed to take the next logical step and re-issue MS07-069.
"I'm surprised that the update has not been reissued by Microsoft with a fix included, especially when the solution only requires a single registry entry," he said. "We can get this work-around deployed fairly easily, but the average home user does not stand a chance."
Decker put a stop to IE6 updates last week after nearly 40% of the Gold Peak computers that had received the security patches began having trouble connecting to the Internet or reaching certain Web sites.
Microsoft has also revised the pertinent support document, originally posted Wednesday, to note the availability of the automated work-around, and marked up the MS07-069 security bulletin of Dec. 11 to warn users of the problem.