Today, we released MS11-050, a cumulative security update for Internet Explorer to address several vulnerabilities in IE9.
The following table lists the CVEs included in MS11-050, and whether each affects IE8 or IE9.
| CVE | Rating | IE8 | IE9 |
|---|---|---|---|
| CVE-2011-1246 | Moderate | Yes | No |
| CVE-2011-1258 | Moderate | Yes | No |
| CVE-2011-1252 | Important | Yes | No |
| CVE-2011-1256 | Important | Yes | No |
| CVE-2011-1255 | Critical | Yes | No |
| CVE-2011-1254 | Critical | Yes | No |
| CVE-2011-1251 | Critical | Yes | No |
| CVE-2011-1250 | Critical | Yes | Yes |
| CVE-2011-1260 | Critical | Yes | Yes |
| CVE-2011-1261 | Critical | Yes | Yes |
| CVE-2011-1262 | Critical | Yes | Yes |
As shown above, only a minor fraction of vulnerabilities affecting IE8 (and earlier versions of the browser) would still affect IE9. This is due to various factors related to security work that happened in IE8, ranging from deprecating obsolete features, to improving fuzzing tests in IE9 and so on. For example, CVE-2011-1255 is related to HTML+TIME, which was deprecated in IE9 development.
There are many beautiful things in IE9. Besides all these wonderful new features, we would also recommend you to update to IE9 if you can for security. :)
Chengyun Chu, MSRC Engineering