Microsoft automates IE crash snafu workaround

IE6 crashes only on Windows XP SP2 systems that had hot fixes applied earlier, company says

Microsoft posted an automated fix Thursday for a week-old crippling problem with Internet Explorer, replacing a registry hack it had offered Wednesday.

The new 476KB workaround can be downloaded manually from Microsoft's Web site, and will be pushed to users via Windows Update as well, according to the company.

"It has also been made available via Windows Update and Automatic Update for all Internet Explorer 6 customers on Windows XP Service Pack 2," said Kieron Shorrock, the IE program manager at Microsoft's Security Response Center, in an entry on the center's blog yesterday.

The workaround came more than a week after users installed Security Update MS07-069 on December 11, and immediately began reporting that they were unable to connect to the Internet with IE or that the browser kept crashing. MS07-069, one of seven bulletins issued that day, fixed four critical vulnerabilities in IE 5.01, IE6 and IE7.

On Wednesday, Microsoft acknowledged the problem and posted workaround instructions that required users to edit the Windows registry, a chore beyond most users. That drew immediate cries from people posting comments on the IE development team's blog, who demanded that Microsoft issue an easier-to-deploy fix, or better yet, simply rerelease the MS07-069 bulletin.

Microsoft has also provided more clues about why some users' browsers have crashed repeatedly while others have reported no troubles.

When asked to clarify a statement by Shorrock on Wednesday that the issue appeared only on "a customized installation" of IE6, a company spokesman said that only PCs that had previously had a hot fix obtained directly from Microsoft were affected. "Customers who use [quick fix engineering] Binary are affected by the issue in Knowledge Base Article 942615," the spokesman said. "The QFE binary tree is used by those who have previously received a hot fix directly from Microsoft."

One IT administrator applauded the workaround replacement. "This seems better if they can deliver it through Windows Update," said Harold Decker, operations manager at San Diego-based Gold Peak Industries NA, who oversees 35 Windows XP SP2 machines. Even so, Decker said Microsoft needed to take the next logical step and reissue MS07-069.

"I'm surprised that the update has not been reissued by Microsoft with a fix included, especially when the solution only requires a single registry entry," he said. "We can get this workaround deployed fairly easily, but the average home user does not stand a chance."

Decker put a stop to IE6 updates last week after nearly 40% of the Gold Peak computers that had received the security patches began having trouble connecting to the Internet or reaching certain Web sites.

Microsoft has also revised the pertinent support document, originally posted Wednesday, to note the availability of the automated workaround, and marked up the MS07-069 security bulletin of December 11 to warn users of the problem.