Microsoft's latest security patch for Internet Explorer causes the web browser to crash when viewing pages that contain a certain VBScript directive, several IE users found. Microsoft has acknowledged the problem and says website administrators will need to take action.
"This issue does not pose a security threat to users. This issue affects stability. Normal operation can be restored by restarting IE," Microsoft said in a statement on Friday.
"Microsoft Product Support Services has been working with customers to implement a workaround that addresses a problem in which patched IE browsers could crash when viewing certain pages containing a specific VBScript directive."
The way to fix the problem in the short term will be to tweak the coding on Web pages that contain this directive, called the execScript directive, Microsoft said. However, Microsoft is working on an updated patch, but does not know when that will be released.
In postings to Microsoft's discussion groups, users had earlier pinpointed the execScript directive as the culprit.
"The workaround is one that site operators would implement on their ASP (active server page) pages. End-users need not do anything," Microsoft said, adding that a Knowledgebase article explaining the issue and the workaround procedure will be posted on www.microsoft.com shortly.
One Dutch IE user told the us that his patched Web browser crashed when accessing the Web JetAdmin remote management tool HP printers.
"Sadly, the patch removes functionality in IE. I installed the patch on my IE 5.0 system, but removed it immediately by installing a complete new version of IE 6.0. The HP administrator page on our LAN did not work on the patched system, but did work on unpatched systems," said Jean van Laarhoven, systems manager for a part of Amsterdam's city government.
A spokeswoman for DoubleClick said the internet advertising company had advised its customers in an email not to install Microsoft's patch. DoubleClick's ad management system is accessed through the web and relies on scripting. Two European DoubleClick users, who asked not to be named, confirmed that IE crashed when they tried to access the DoubleClick system after patching their browser.
Microsoft released the 'cumulative' patch that fixes six holes in IE versions 5.01, 5.5 and 6.0 last week. The software maker gave the patch a 'critical' rating and urged all users to install it immediately. The set of patches fixes holes that could allow an attacker to take control of a user's computer.