Microsoft is going out of their normal release cycle to post a new security bulletin for Internet Explorer.  This bulletin fixes a vulnerability that is currently being exploited in the wild.

In the past few years, Microsoft has gone out-of-band with security bulletin releases on limited occasions.  In both 2008 and 2009, Microsoft released only two out-of-band security bulletins to fix critical vulnerabilities.  With today's out-of-band release, Microsoft has already released two in 2010, both addressing known critical vulnerabilities in Internet Explorer and kicking off a record year for out-of-band patch releases.

Microsoft typically releases cumulative updates for Internet Explorer bimonthly during regular Patch Tuesday releases, and we were expecting to see the next round of IE patches in April’s Patch Tuesday release.  As this bulletin is being released earlier than planned, it is important to note the bulletin contains a total of 10 vulnerability fixes.  The other nine vulnerabilities addressed are not publically known at this time.

If administrators used any of the workarounds suggested in the security advisory (KB981374) that prompted this out-of-band release, it is important for them to un-apply the workarounds.  This will restore functionality that was lost due to the temporary fix.

With any zero-day exploit that is being actively targeted, it is critical for administrators to patch their systems as soon as possible.  Some patch maintenance cycles are scheduled over weekends to accommodate the known downtime.  While many are planning for a long holiday weekend, administrators should not wait to patch this until next week as we know that hackers won’t be taking the weekend off.

Jumping on this version of Patch Tuesday:

Mozilla has released a new version of Thunderbird.  Thunderbird 3.0.4 fixes known security vulnerabilities in the product.  The Mozilla Security Advisory page has not been updated yet and you should keep an eye on the page for the announcement.

Sun has also released a new version of Sun Java.  Sun Java 6 update 19 fixes multiple security vulnerabilities.  More information can be found here.

Apple is also releasing a large number of vulnerability fixes for Mac OS X v10.5.8, Mac OS X v10.6 - v10.6.2.  The release notes can be found here.

As it seems a lot of vendors are in the patching mood today, I will update this blog posting if we find more here at Shavlik.

- Jason Miller