Microsoft said on Tuesday that it has released a new out-of-band cumulative update for Internet Explorer 6 and 7 users.
The update (MS10-018) fixes 10 flaws, with the most serious allowing remote attackers to execute arbitrary code. Microsoft said it accelerated testing of this update due to the growing attacks against a publicly disclosed vulnerability. Nine other flaws were disclosed privately to Microsoft by security researchers. The public vulnerability was rated "extremely critical" by security researchers Secunia. The out-of-band patch is the second time this year that Microsoft has broken the monthly "Patch Tuesday" cycle that the software giant typically uses to release security updates.
In January this year Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. Both the French and German governments warned their populations to cease using Internet Explorer due to an earlier un-patched flaw discovered in targeted attacks earlier this year. Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property.
Microsoft stressed that the public flaw that this current out-of-band patch addresses, does not affect Internet Explorer 8. Other flaws in the cumulative update do affect Internet Explorer 8 on Windows 7 so users will still be prompted to update to the latest patch. Jerry Bryant, Group Manager of Response Communications at Microsoft, explained that the company is also investigating a potential flaw in Internet Explorer 8 discovered at last weeks "pwn2own" hacking competition. "We are still investigating that issue at this time so we do not have an update available," said Bryant. Pwn2own saw Internet Explorer 8, Firefox and Safari all fall victim to previously undisclosed vulnerabilites. Google's Chrome browser escaped untested.
Updated: Articled edited to reflect that the public vulnerability does not affect IE8 but that other flaws in this combined update do.