Microsoft today annouced the release of an out-of-band security bulletin, which will be issued on March 30, 2010.
The patch is being released to address attacks against users of Internet Explorer 6 and Internet Explorer 7. Users of Internet Explorer 8 and Windows 7 are not vulnerable to these attacks. The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution, Microsoft said. For more information on the vulnerability read Microsoft's Security Advisory 981374
The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.
Microsoft will host a webcast to address customer questions on the out-of-band security bulletin on March 30, 2010, at 1:00 PM Pacific Time (US & Canada).