Today we released an Out of Band security fix for Internet Explorer. This fix covers IE 6, 7 & 8 and it is a critical fix. We don’t release normal fixes Out of Band and we recognize how difficult it is for our partners and customers to react to a release like this, but we really needed to do it.
Here is the security article, please take a few minutes to review it:
The Microsoft Security Response Center (MSRC) site is another good site to keep up with:
Let me tell you a bit about this fix:
We had planned to release this fix on April 13th, during our normal cycle. One of the vulnerabilities we planned to patch on April 13th was publically disclosed and it has now become an active exploit on the internet. We prefer private disclosure of vulnerabilities so the vendor in question (us this time) has time to patch the vulnerability. This time that didn’t happen and the malicious software writers have already crafted an exploit for this vulnerability.
The vulnerability being exploited does not impact IE 8 and Windows 7, but there are other fixes in this package that are critical for IE 8. As I mentioned, our plan was to release this fix on April 13th. This fix includes fixes to 10 vulnerabilities, only one of those vulnerabilities are currently being exploited, and that exploit only impacts IE 6 & IE 7. This graphic does a great job of breaking down which vulnerabilities impact each version of IE.
* CVE-2010-0806 is the vulnerability that is currently being exploited.
This package of fixes is required for IE 6 and above and will require a reboot to complete the installation.
This fix can also be uninstalled if you have any concerns, since it is a fix we were going to release in a few weeks, we’ve put a good amount of effort into testing it.
I am a firm believer in deploying patches like this. There is an active vulnerability that is taking advantage of people and computers, I will deploy the patch as soon as possible.
If you have problems with this patch, we will provide support to help you resolve the problem. If your thinking, “pick your poison”… Remember that we stand behind our software and patches and we will help resolve any issues you encounter. The malicious software writers are trying to exploit you and your information, we are trying to prevent that.
I’d like to point out the support section of this article:
- The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
- Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.
I know we all have better things to do right now, but patching this vulnerability now could prevent a lot of cleanup later. Please take the time to review this patch and deploy it as soon as you can.
I will be hosting a webcast Thursday April 1, 2010 to discuss today’s release, please join me and we will talk through this release and address any questions you may have.
Microsoft Security Advisory (981374): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Thursday, April 01, 2010
11:00:00 AM – 12:00:00 PM CDT
Until next time,