"Several other vulns" as well?
Not to be too suspicious, but does this patch also contain code that should have gone out on the last (very small) patch day but was delayed?
A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday. The update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will …
With MS, anything that has 'Explorer' in it usually is part of desktop environment.
To get it working you'll need to re-boot back in to the Explorer (Desktop) session that is always running.
How easy is it to make an Explorer window turn in to IE?
They just love to have everything connected together.
I installed full-fat Outlook without Office once but it needed several Dll's from Office to do it.
The library in question mshtml.dll (Trident) is the engine that is used by a bunch of apps that render HTML content (via shdocview.dll), not just Internet Explorer. It's not 100% certain that the file will be locked, but it is highly likely.
A shared HTML rendering library is not such a terrible idea, it's just that the implementation is horrible. Unfortunately, developers use it because it's easy to implement and it has zero cost, not because it's good or high quality. The nature of the vulnerability, a reference counting problem, is going to be very, very difficult to fix properly. This will not be the last update you see for this issue.
Cobbled is a strong word for MS's software. This implies they had a plan. What they actually did was throw a lot of code, theirs and competitors, into a box, shake it about a bit and out came an operating system. Then they did the same for Office, Sharepoint, SQL Server etc.
It explains all the exploitable holes.
/Mines the one with the safe penguin in the pocket.
""Large parts of of the web browser stuff aren't in the browser. This is why MS kept saying that you cannot remove all of IE and still have a functioning Windows system.""
That's not quite true. Parts of Windows e.g. explorer rely on features of IE to generate content, web folders and that sort of thing. Due to the lack of standards they couldn't rely on another default browser eg FF to provide those features so removing IE would break features in exlorer amongst other things.
Yes, designed. Although in this instance I think it would be by the legal department instead of the marketing department. If they had allowed IE to continue to be an application isolated from the OS, it would have been a slam dunk win for Netscape way back at the Browser War Legal Debacle. So I am still of the opinion that they moved some of the functionality to the OS then successfully obfuscated the deception from the judge who heard the case.