Last week, Microsoft released a security update for Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01 that eliminates three security vulnerabilities, all of which might let a malicious user read browser-compatible local files or run a program stored on the local system. The update closes a loophole in how the browser manages Portable Network Graphics (.png) files, corrects a problem with encoded characters in a URL, and implements a more rigorous security check on how the browser handles objects. The cumulative rollup supersedes all previously released IE security updates, including the previous cumulative security rollup, MS02-047 (Cumulative Patch for Internet Explorer), which Microsoft released on August 27. The update also includes security fix MS02-022 (Unchecked Buffer in MSN Chat Control Can Lead to Code Execution).

If you don't visit the Microsoft Windows Update site regularly, you can manually download the most recent rollup. This download file updates IE on all supported platforms, including Windows XP Service Pack 1 (SP1), Windows 2000 SP3, Windows NT SP6a, Windows Me, and Windows 98. The following guidelines will help ensure that the update installs successfully:

  • Apply the update directly to systems running IE 6.0 SP1 and IE 6.0.
  • Upgrade IE 5.5 to SP2 before installing the rollup.
  • To upgrade IE 5.01 on Win2K systems, you must first apply Win2K SP3.
  • To update XP systems, you must interactively install this update from the command line or by using Windows Explorer. The installation fails if you use the Task scheduler, Microsoft Systems Management Server (SMS), or a third-party update utility.

To start the installation, type

q328970.exe

at a command prompt or double-click the download file in Windows Explorer. Reboot the system to complete installation.

SMB-Related Bug Fixes
Microsoft has corrected two blue-screen problems and a backup file corruption problem that occurs in the mrxsmb.sys and rdbss.sys components that implement the Server Message Block (SMB) protocol. For information about the ongoing concerns with these two components, see "The Ever-Morphing Mrxsmb". The most recent patches eliminate an rdbss.sys blue screen with a stop code of 0xA. (For information about this problem, see the Microsoft article "Rdbss.sys May Cause STOP 0xA Error".) The patches also eliminate an mrxsmb.sys blue screen with a stop code of 0xCE that might occur during system shutdown. (For more information, see the Microsoft article "You Receive a 'Stop 0x000000CE' Error Message During Shutdown".) The reference documentation makes no comment about the frequency of the blue screens. This patch also corrects a file-truncation problem that occurs when you back up files larger than 4GB to an EMC CLARiiON IP4700 device. (See the Microsoft article "Files Larger Than 4 GB Are Truncated During a Restore If an EMC Device Is Used" for more information about this file-truncation problem.) The most current version of both components is 5.0.2195.6114, and both files have a release date of November 5, 2002. This fix is available directly from Microsoft Product Support Services (PSS).

Domain Name Bug Fix for Win2K Servers
If I'm correctly interpreting the Microsoft article "Windows 2000-Based Servers May Not Set the DNS Domain Name After You Upgrade a Domain", Microsoft just released a bug fix that correctly sets the DNS domain name, and presumably the DNS suffix in Network Identification, when you upgrade servers to Win2K and when you upgrade a legacy domain to Active Directory (AD). When you upgrade a server from Windows NT to Win2K and direct it to join a domain, setup might not define the domain name or the DNS suffix (the suffix field is often empty). This omission causes many problems, including name resolution concerns and the inability to receive a Kerberos ticket, and prevents newly upgraded servers from joining a Win2K domain. On a standalone server, you correct the problem by manually typing in the domain name and DNS suffix and rebooting. To correct this problem on a Win2K domain controller (DC), you need to demote the DC to a server, manually change the domain name and DNS suffix, reboot, promote the system to a DC, and reboot again—a lot of unnecessary steps to correct a simple omission in the Win2K setup utility. If you're still upgrading old servers, you can apply the bug fix that correctly sets the DNS domain. According to the article, the fix contains 24 files, most of which have a file release date of September 30. You can obtain this update only from Microsoft Product Support Services (PSS).