April 1, 2010

Emergency Patch for IE 6, 7, 8 released

Today we released MS10-018 out-of-band due to increases in attacks against Internet Explorer 6 and Internet Explorer 7 using the vulnerability discussed in Security Advisory 981374. I want to reiterate that Internet Explorer 8 is not affected by this issue so customers using this version are not affected by these attacks and we continue to encourage customers to upgrade to the newer version because it provides more security and protection.

MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April. The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. Releasing the update early provides Internet Explorer 6 and 7 customers protection against the active attacks and provides users of all versions of Internet Explorer protection against nine other vulnerabilities.

I clarify this in the following video:

listening and viewing options:

Note: Internet Explorer 6 and 7 are the only versions affected by the active attacks, why does the Advance Notification page state that Internet Explorer 8 and Windows 7 are affected? To clarify, the Security Advisory was released due to one vulnerability that is under active attack. That vulnerability only affects Internet Explorer 6 and 7. However, the bulletin, MS10-018, that we will release tomorrow, addresses 9 additional vulnerabilities. Some of those also affect Internet Explorer 8. All of the 9 additional vulnerabilities were responsibly disclosed and we are not aware of any active attacks against them.

The Microsoft Security Response Center (MSRC)

No comments: