Emergency IE Patch Fixes Zero-Day Flaw
A growing number of attacks against an Internet Explorer security flaw prompted Microsoft to publish an early fix that wasn't scheduled to come out until April.
While IE 8 is safe from the under-attack flaw, which affects IE 6 and 7, today's cumulative MS10-018 patch also closes eight other bugs. Some of the other bugs affect IE 8 as well, making this a critical patch for most every combination of Windows and IE. Only Windows Server 2003 with IE 6 or IE 8 or Windows Server 2008 with IE 8 are rated important or moderate. All other combinations are considered critical; see Microsoft's security bulletin for details.
The zero-day flaw was first disclosed earlier this month when it was being hit by targeted attacks, according to Microsoft. Since then, the company has seen "increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability." The flaw can be hit by malicious code on a poisoned Web site, and allows an attacker to run any command on a victim PC.
To pick up the patch, run Windows Update. And for more details, see the MSRC blog post.