Tomorrow, Microsoft will issue an out-of-cycle patch for a vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8, is not affected. The vulnerability allows remote code execution on the affected browsers.
According to Microsoft, in Microsoft Security Advisory (981374), “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”
When the advisory was issued, Microsoft was aware of targeted attacks attempting to use this vulnerability. Today, the Microsoft Security Response Center (MSRC) issued this statement:
Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.
Be sure to apply the update if you are running IE 6 or IE 7. Better yet, just upgrade to IE 8 . Even better still, dump IE and use Firefox or Chrome.