Microsoft has released an out of band security patch (MS09-034) to fix remote exploits in Internet Explorer.
This security update is rated Critical for the following versions of Internet Explorer:
- Internet Explorer 5.01, running on supported editions of Microsoft Windows 2000
- Internet Explorer 6 SP1, running on supported editions of Microsoft Windows 2000 and Windows XP
- Internet Explorer 7, running on supported edititions of Windows XP and Vista
- Internet Explorer 8, running on supported editions of Windows XP and Vista
- Internet Explorer 8, running on Windows 7 Release Candidate (build 7100)
This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory and table operations.
The security update impacts ATL components and controls (like ActiveX controls, for example). Microsoft is advising developers who have built controls using vulnerable versions of ATL, to take immediate action to review and identify any vulnerabilities, modify and recompile their affected controls and components using the updated versions of ATL and finally distribute a non-vulnerable version of the controls and components to their customers.
Information for both of these exploits is available at CVE-2009-1918 and CVE-2009-1919.
Internet Explorer 8 for Windows 7 RTM is unaffected by this bulletin as according to a Microsoft spokesperson the IE defense-in-depth mechanism is already built into Windows 7 RTM. Windows 7 Release Candidate (build 7100) is affected and a patch KB972260 will be distributed. Patches for 2000, XP and Vista will be distributed by Windows Update shortly.