Microsoft to issue out-of-band emergency IE patch on Mar. 30

Wiz Feinberg · Post by **Wiz Feinberg** » 29 Mar 2010 12:59 pm

Just in...
On Tuesday, March 30, 2010, Microsoft will be pushing out an emergency critical patch for Internet Explorer versions 6 and 7. The rollout should begin at around 11 AM Pacific Time.

All versions of Windows starting with Windows 2000, through Vista are vulnerable, if you run versions 6 or 7 of Internet Explorer. IE 8 is not affected on any platform, as of this moment.

If you are still using IE 6 or 7 you should set your Windows Updates to Automatic tonight, and have the check time set to the equivalent of noon Pacific Time. If you choose to not run automatic Windows updates, please open your Internet Explorer browsers and go to Windows Update to fetch the patch manually.

It may or may not be required to update to the latest service pack for your version of Windows 2000, XP or Vista to receive this patch (afterward). You will find out when the equivalent of 11 AM rolls around for you tomorrow, or if you try to check for Windows Updates manually. If you must upgrade, do so, then keep checking for more Windows Updates until there are no more, including the new IE patch 981374.

The exploit in the wild is serious and is rated critical by Microsoft, meaning no user interaction is required for a system takeover if attacked.

Bill McCloskey · Post by **Bill McCloskey** » 29 Mar 2010 1:02 pm

Good reason to use Firefox, like I do.

Really good reason to use Firefox on a mac.

Wiz Feinberg · Post by **Wiz Feinberg** » 29 Mar 2010 1:05 pm

Bill McCloskey wrote:Good reason to use Firefox, like I do.

Really good reason to use Firefox on a mac.

If you use one of the affected versions of Windows you should get the patch anyway. The exploit code might still find a way into your system, especially if you use Outlook Express or Windows (Live) Mail as your email client. Both of those email clients use Internet Explorer's HTML engine to render and display HTML and rich text email messages. If you receive a spam message and accidentally open it and it contains the exploit code for IE 6 or 7, you could get pwned on the spot.

Wiz Feinberg · Post by **Wiz Feinberg** » 29 Mar 2010 1:11 pm

It appears that IE 5.01 on Windows 2000 with SP4 is also affected by the vulnerability being patched on March 30. Further reading seems to implicate IE 8 as well. My advice is no matter which version of IE and Windows you are using, check for updates on the afternoon of March 30, 2010. You never know what last minute code changes they will toss in!

Bill McCloskey · Post by **Bill McCloskey** » 29 Mar 2010 1:28 pm

Thanks for the notice. I let my IT department know.

Wiz Feinberg · Post by **Wiz Feinberg** » 30 Mar 2010 4:13 pm

As I suspected, the out-of-band patch of March 30 included fixes for Internet Explorer 8.0, on all consumer versions of Windows. This includes Windows 7!

As I told one member, even if you browse the net with a non-Microsoft browser, the underlying vulnerability still exists in the operating system. If you use any Microsoft program that uses internet Explorer's HTML engine to render layouts, you are still at risk of exploitation. This includes Outlook Express and Windows Live Mail.

The patch has been released, so make sure you apply it. A reboot is required, so save any work in progress.

John Cipriano · Post by **John Cipriano** » 30 Mar 2010 9:48 pm

the underlying vulnerability still exists in the operating system

Ain't that the truth