First published: 30th March 2010
Microsoft has announced that, later today, it will release a cumulative update for Internet Explorer to fix a zero-day vulnerability in the browser that is being actively exploited. Microsoft first acknowledged the flaw in the iepeers.dll library on 9th March. The flaw allows malicious software to be installed when a webpage is visited, attackers could utilise this by hosting their own websites, compromising a third party website directly, or via user-provided content or advertisements.
The release breaks Microsoft's established practice of releasing updates on the second Tuesday of the month. Sophos Senior Technology Consultant Graham Cluley welcomed the move because hackers are actively exploiting the vulnerability.
The vulnerability does not affect the latest version of Internet Explorer: 8, but current estimates of IE8's global market share range from 24-26%, with more users sticking with the vulnerable 6 or 7. Some of those may be unable to upgrade because IE8 does not run on Windows 2000 or earlier versions.