Microsoft will issue an emergency out-of-band patch for Internet Explorer 6 and 7 today, protecting users against vulnerability that hackers are now actively exploiting. The flaw is only present in those two versions of Microsoft's browser, however, and doesn't affect IE 8, the most recent (and, according to Microsoft, most secure) version of IE. However, the patch will include other fixes, including some for IE 8.
"We recommend that customers install the update as soon as it is available," a Microsoft statement reads. "We have been monitoring this issue and have determined an out-of-band release is needed to protect customers."
Microsoft began investigating this flaw earlier in March, but now that hackers have begun exploiting it, the company decided to issue a patch immediately rather than wait for its regularly schedule monthly security patch release. The next such release is set for next week, and will include nine unrelated updates. (Some of which also apply to IE 8.) Given the timing of the next scheduled update, the danger level must be high for Microsoft to deliver an out-of-band update just days earlier.
This week's emergency patch marks the second time this year that Microsoft has had to deliver an out-of-band security patch. The first occurred in January, when the software giant shipped a patch for various IE versions. That patch was apparently used in the Chinese Google hack, according to sources.
In related news, IE 8 was among the browsers hacked during the annual Pwn2Own hacking contest last week. And while IE 8 was hardly alone—every major browser was hacked, as was Mac OS X Snow Leopard and the iPhone—Microsoft provided some perspective via a blog post.
"Defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability," a post on the IE blog reads. "Internet Explorer 8 on Windows 7 helps protect users with all of these defense in depth features, and there is nothing that you have to do to enable them—they're on by default. That's one of the reasons why we encourage users to make sure they're running the latest and most up-to-date software."
