The caveat in MS04-038 has caused some confusion. It states;
"This update may not include hotfixes that have been released since the release
of MS04-004 or MS04-025. Customers who have received hotfixes from Microsoft or
from their support providers since the release of MS04-004 or MS04-025 should
review the FAQ section for this update to determine how this update might
affect their operating systems."
and
"When you install one or more of the MS04-038 security updates for Internet
Explorer 6 SP1, Internet Explorer hotfixes released since MS04-004 will be
removed if the hotfix replaced one or more of the files listed in the "Security
Update Information" section of Microsoft security bulletin MS04-038."
This led some to wonder if MS04-038 was truly cumulative. Here's my best
explanation, hopefully in line with information I received from MSRC.
After MS04-004 was released, it seems that the IE Team started approaching
security fixes from the perspective that code does not change. IOWs, when they
started working on the next cumulative security update for IE after MS04-004
(those released in MS04-025), they ignored other (non-security) fixes for IE
that may have been released after MS04-004.
QFE Hotfixes (other fixes) are often released to address non-security issues
between Service Packs. Historically, they aren't fully regression tested and
often require you to contact Microsoft PSS to obtain them (so PSS can ensure it
truly addresses the problem you have.) Eventually everyone gets them as part of
the next Service Pack.
By freezing the code at MS04-004, the IE Team might be able to have better beta
testing done on the next cumulative security update for IE, or, can at least
provide different discoverers with consistent code to test to verify the
security issue is resolved. When a QFE is done, it is typically done with
whatever the latest build of the component happens to be, so it may or may not
include security fixes that are being worked on.
So when it comes time to release the cumulative security update for IE, there
now might be two (or more) versions of some/many components. Since the QFE
Hotfixes aren't necessarily fully supported, and the security fixes are, it
seems the IE Team have decided to simultaneously release two Updates.
- The Cumulative Security Update for IE contains only the security fixes since
the last cumulative update.
- The Update Rollup for IE contains both the security fixes, and all QFE
Hotfixes which were released.
You don't need to apply both, either will suffice from a security perspective
as both contain all of the security fixes to date. If you didn't need a QFE
Hotfix, then you don't need the Update Rollup for IE.
Windows Update and Automatic Updates offer up the Cumulative Security Update
for IE, the Update Rollup for IE can only be obtained via the Download Center.
As such, clients which have obtained QFE Hotfixes since MS04-004 and got
MS04-025 or MS04-038 via WU/AU (or any distribution derived from those sites)
may now demonstrate the problems that the QFE Hotfix corrected. Such systems
need the Update Rollup for IE.
I hope this clears things up somewhat. You'd think that Microsoft could build
this into detection methods used by WU/AU/SUS so that it wouldn't be an issue
(iows, you have a QFE Hotfix version of some IE component, so give you the
Update Rollup instead of the Cumulative Security Update), but alas, not yet. We
can hope it may be part of a future enhancement.
Cheers,
Russ - Senior Scientist/NTBugtraq Editor
TruSecure Corporation
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such
that just hitting reply is going to result in the message coming to the list,
not to the individual who sent the message. This was done to help reduce the
number of Out of Office messages posters received. So if you want to send a
reply just to the poster, you'll have to copy their email address out of the
message and place it in your TO: field.
--
