Microsoft releases out-of-cycle IE security patch

Microsoft released a cumulative security update which resolves nine privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer.

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated critical for all supported releases of Internet Explorer:

• Internet Explorer 5.01
• Internet Explorer 6 SP1
• Internet Explorer 6 on Windows clients
• Internet Explorer 7
• Internet Explorer 8 on Windows clients.

For Internet Explorer 6 on Windows servers, this update is rated Important. And for Internet Explorer 8 on Windows servers, this update is rated Moderate.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer verifies the origin of scripts and handles objects in memory, content using encoding strings, and long URL.

Wolfgang Kandek, CTO of Qualys, comments: “If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week.”