Out Of Band Internet Explorer Security Update

Microsoft’s Security Response team just announced that they will be publishing an out of band cumulative update for Internet Explorer due to a publicly disclosed security vulnerability that is affecting Internet Explorer 6 and Internet Explorer 7. The team notes that Internet Explorer 8 installations are not affected by the security vulnerability and that the security update will be released on March 30 at approximately 10:00 a.m. PDT.

The update for Internet Explorer will be provided through Windows Updates or from the usual Microsoft sites where updates can be downloaded manually. The reason for the out of band update is Microsoft’s monitoring of the vulnerability which seemed to have uncovered an increased exploitation of the security vulnerability.

The update for Internet Explorer is cumulative as it contains nine additional vulnerability fixes that all were supposed to be released on Microsoft’s monthly patch Tuesday on April 13.



The main impact of the vulnerability is remote code execution:

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Admins and users who still run systems with Internet Explorer 6 or 7 are encouraged to update their systems as soon as the update is released by Microsoft to protect the system from being successfully compromised.

source : http://www.ghacks.net/2010/03/29/out-of-band-internet-explorer-security-update/