Description: This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Keep reading →

When you deploy the IE ACA update, it disables the “Click to activate” behavior of the Internet Explorer ActiveX update that is contained in update KB942615. The other security updates that are contained in update KB942615 are still present and are still functional.

We strongly recommend that you deploy this IE ACA update only to computers for testing before the “Click to activate” behavior is permanently removed in the Internet Explorer cumulative update that is planned for April 2008. Removing the “Click to activate” behavior from Internet Explorer will require no changes to existing Web pages. Additionally, the removal of this behavior will not require new actions for developers to create new pages. All pages that previously required the “Click to activate” behaviorwill no longer require that the user manually enables an ActiveX control. ActiveX controls will continue to function as they did before this change was made to the “Click to activate” behavior.

Consider the following scenario:

• In Windows Media Player, you enable the Use proxy settings of the Web browser option. (This is the default setting.)
• Your installation of Windows Internet Explorer uses a proxy server to access certain types of URLs.
  In this scenario, Windows Media Player does not use a proxy server as expected to access the same types of URLs. Therefore, Windows Media Player cannot load the content from these types of URLs.

  For example, in Internet Explorer, you add *.server to the Exceptions list in the Proxy Settings dialog box. However, Windows Media Player may unexpectedly bypass Web sites whose URLs contain the following:

  *.server*
  *.server.*

  When Internet Explorer accesses these URLs, it uses the proxy server as expected.

When a Microsoft Visual Basic 6.0 modal form is displayed from a Microsoft ActiveX control in Windows Internet Explorer 7, you can still interact with Internet Explorer 7. This problem occurs when Internet Explorer 7 is in theater mode.

On a computer that has Internet Explorer 7 installed, you click a hyperlink that links to an Internet shortcut file. Then, you save the shortcut file to the local disk. When you double-click the shortcut file, you cannot open the file. Additionally, you receive an error message that resembles the following:

Problem with Shortcut
The target “” of this Internet Shortcut is not valid. Go to the Internet Shortcut property sheet and make sure the target is correct.

If you examine the properties of the Internet shortcut file when this problem occurs, the Type of file field indicates that the file type is Internet Shortcut (.url). However, the Web Document tab may disappear. Also, on the Details tab, the URL string may disappear.

You are using a proxy script to determine the proxy server settings for a connection in Windows Internet Explorer 7, Microsoft Internet Explorer 6 Service Pack 2 (SP2), or Internet Explorer 6 Service Pack 1 (SP1). However, after the proxy script is downloaded from the server, the proxy server settings in Internet Explorer are not set correctly. You may have to manually configure the proxy server settings.

Consider the following scenario:

• You are running Windows Internet Explorer 7 on a Windows-based computer.
• In a workgroup environment, you use Group Policy to disable the Turn on automatic detection of the intranet setting and to enable the Intranet Sites: Include all local (intranet) sites not listed in other zones setting.
• You use Internet Explorer 7 to access a local intranet site.

In this scenario, the local site is displayed through the Internet zone instead of through the “Local intranet” zone as expected.

Consider the following scenario:

• On a computer that has Internet Explorer 7 installed, you apply the Internet Explorer Maintenance Group Policy settings to add a pop-up blocker exception site.
• In the Internet Options dialog box, you manually add a new pop-up blocker exception site.
• You reapply the Group Policy settings on the computer.

In this scenario, you the new pop-up blocker exception site that you manually added in the Internet Options dialog box is missing from this dialog box.

Note: This problem does not occur on computers that have Internet Explorer 6 installed.

Description: This critical security update resolves three privately reported and one publicly reported vulnerabilities. The most serious of the vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles HTML and validates data, as well as by setting the kill bit for an ActiveX control . Keep reading →

You develop a Web page that throws an exception from a function. The function is called through the expando property of a DHTML object. When you use Windows Internet Explorer 7 to view the Web page, the exception handler may not catch this exception.

Note: This problem also occurs in Windows Internet Explorer 6 when at least one parameter is passed to the function from which the exception is thrown. To work around this problem in Internet Explorer 6, see the “Workaround” section.