Microsoft today released a rare patch outside of its normal monthly update cycle to fix an under-attack zero-day security hole in Internet Explorer.
The high-profile attacks against Google, Adobe and other companies took advantage of the invalid pointer reference flaw, which could allow an attack to be launched from a malicious Web site. According to Redmond’s security advisory, “compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
The cumulative MS10-002 update also fixes other IE holes aside from that used in the Google attack, and is rated critical for all supported releases of Internet Explorer. The update will be distributed automaticaly via Windows Update.
While MS10-002 is essential across-the-board, only IE 6 has so far suffered attacks against the invalid pointer reference flaw. Microsoft says that protections such as Data Execution Protection for IE 8 and Protected Mode for IE on Vista and later Windows versions mitigate the threat. Also, “all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, removing the risk of an attacker being able to use this vulnerability to execute malicious code,” according to the advisory.
These attention-grabbing attacks make clear that nobody should be using the badly vulnerable IE 6. If you’re stuck using it at work because of an old, custom-made internal Web site or application, then your best bet may be to only use IE for that page or site, and use another browser such as Firefox for your everyday browsing.