Microsoft on Monday took the rare step of fixing a critical security flaw in various versions of its Internet Explorer (IE) web browser outside of its normal monthly security patch cycle. It did so because of the potential that more customers could be exploited.
So far, the flaw—which impacts IE 6, 7, and 8—has seen only “limited exploits in the wild,” according to Microsoft.
“We released a security update to fully address the issue described by Security Advisory 2794220,” Microsoft Trustworthy Computing Group Manager Dustin Childs said. “While the impact has been limited, for increased protection customers should apply the update as soon as possible if they do not have automatic updates enabled.”
Microsoft previously released a manual FixIt for the flaw. Customers who applied the FixIt do not need to install the recently released fix. Likewise, those with IE 9 or 10 are not affected by this flaw.
If you're using an affected browser and haven't installed the FixIt, the new fix is available via Windows Update and will be installed automatically for the majority of customers who have enabled automatic updating. Microsoft recommends that all affected customers install the fix immediately, however. Alternatively, customers using Windows Vista and later can upgrade to IE 9 or 10.
For more information about the flaw and Microsoft’s fix, please refer to the Microsoft Security Response Center blog. For other news about IE attacks, see "Microsoft Warns of Attacks on Older IE Versions" and "Microsoft patches IE Zero Day Flaw in Record Time . . . and Is Criticized for It" (September 2012).