Hi Everyone,

Microsoft have just released advanced notice of an “out-of-band” security patch for all mainstream versions of Internet Explorer (IE) to patch a critical security flaw.  The patch will be released 17th December 2008 in the US, so we will see it released overnight.  The vulnerability was identified almost a week ago.

The details of the security hole are limited at present, but in simple terms it may allow an attacker to highjack your workstation using an exploited website. The infected website may be a legitimate website that has been compromised and early reports from researchers have found 6000 infected websites.  Microsoft will publish further details tomorrow as part of the patch release. 

Anytime Microsoft releases an out-of-band patch means that the issue is serious enough that it cannot wait until the next scheduled “Patch Tuesday” on the first Tuesday of each month. Based on this, I highly recommend that when you see the patch available messages tomorrow on your systems, that you apply the patch as soon as practical and encourage your users to do the same. As the flaw only affects IE, servers can probably be scheduled for a quiet time if they are not used for accessing the Internet very often.

Cheers.