It has been widely reported that Mike Nash is stepping down as Corporate Vice President of Microsoft’s Security Technology Unit. Heck, even Mike’s own bio on Microsoft.com speaks of his position in the past-tense. Well… to everyone’s surprise, Mike took center stage and posted to the MSRC blog yesterday regarding the upcoming IE update. At the end of his post Mike offered up his e-mail address for any feedback or questions. Given the fact that I’ve devoted most of my time over the last few weeks to the upcoming IE ActiveX changes, and the fact that I still had unanswered questions, I figured I’d drop him a line.
Guess what? He replied to my e-mail within a couple hours and answered all my questions! I guess he must have some extra time on his hands now that he’s a “short-timer” ;) But seriously – thanks Mike! I appreciate the prompt response and helpful information. Mike also gave me permission to share this info with the community.
Here’s the skinny on my questions, and Mike’s answers:
Question: What is the delivery mechanism for the 60–day “reprieve patch” that allows customers to keep IE ActiveX functionality as-is? Note: Mike refers to this as a compatibility patch.
Answer: The compatibility patch will be available to any customer who wants it from the download center. Customers that want it need to install it on top of the April security updates.
Question: Will the compatibility patch be available via WSUS or Microsoft/Windows Update?
Answer: No, it will be a manual download from the Download Center.
Additional Info from Mike: Once the compatibility patch is deployed, you will be able to disable it using a feature key. This will enable someone who deployed the compatibility patch to go to the new behavior even if they deployed the compatibility patch.
Note: What Mike doesn’t mention, but is documented elsewhere on Microsoft.com, is that the compatibility patch will be overwritten by the June IE Cumulative Rollup. So when he talks about disabling the compatibility patch with a feature key – he’s only referring to those customers who want to disable the compatibility patch during the 60–day window between April 11 and June Patch Tuesday.
So there you have it, folks. If you are paying special attention to the next IE rollup like I am, this should help you plan your deployment strategy. And if anyone out there is asking “why should I care?” – check out KB912945 for a list of applications that have issues with the new ActiveX behavior. The show-stopper for most people is Siebel. My current client relies on Siebel for day-to-day operations. As of today, Siebel still doesn’t have a patch for their ActiveX controls to make them compatible with the KB912945 update. They have promised a patch in the May/June timeframe, but that will be cutting it close (remember, we need time to test, test, test). Bottom line – if Microsoft hadn’t stepped up and offered the “reprieve patch”, 3.7 million Siebel customers would have had to choose between a crippled Siebel client, or a vulnerable browser. Not exactly a win-win situation. As it is now, we’ll all have 60 more days to hammer on our internal developers and 3rd party software providers to get compliant with the changes in KB912945. Siebel, are you listening?