Today a security update is being released out-of-band to address a known and recently exploited vulnerability in Internet Explorer 6 and Internet Explorer 7. (See the MSRC Blog for more information about the advanced notification.)
“The vulnerability used in these attacks, along with workarounds, is described in Microsoft Security Advisory 981374. The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.”
The good news: The most current version of Internet Explorer, IE 8, and Windows 7, are not impacted or affected by the exploit we’re addressing here. However, the cumulative update does include fixes for other less-critical issues, including some in IE 8. Apparently the IE team were able to sufficiently test fixes that would have waited for the April 13th “patch Tuesday” updates, so they were able to add them this time.
More good news: If you’re running any of our antivirus products such as Microsoft Security Essentials or Microsoft Forefront Client Security, and have the most up-to-date definitions installed, you’ll also be protected.
Microsoft is hosting a webcast today (March 30, 2010) at 1:00 PM Pacific Time (US & Canada) to address customer questions on the out-of-band security bulletin.
Register now for the March 30, 1:00 PM webcast. After this date, this webcast will be available on-demand.
For more information, see Microsoft Security Bulletin Summaries and Webcasts.
“But how do I get these updates, Kevin? Just give me the link!”
At the time of this writing, the updates aren’t available. They should be in about a half-hour from now. I’ll update this post when I see it go live.
UPDATE: Here is the security bulletin page that just went live: MS10-018
Microsoft recommends you use Windows Update (http://windowsupdate.microsoft.com), or WSUS, or allow your PCs to update automatically. Or use whatever other update distribution mechanism you currently use (such as SCCM).
If you simply want to download the update packages and install or deploy them manually, you can get them at the Microsoft Update Catalog: http://catalog.update.microsoft.com/v7/site/Home.aspx