Microsoft has gone out-of-band from their normal release cycle for a critical security bulletin release.  The bulletin addresses the zero-day vulnerability described in Security Advisory KB979352.

The last time Microsoft went out-of-band for a security bulletin was last July.  That bulletin addressed vulnerability in the ATL library.  Unlike the July out-of-band release, this bulletin fixes a zero-day exploit that is currently being attacked.

This bulletin, MS10-002, applies to all supported versions of Internet Explorer on all supported operating systems.

Only 1 of the vulnerabilities has been publically disclosed and is currently being used in targeted attacks.  The other 7 vulnerabilities addressed by this bulletin are not publically known and are not being used in attacks.

It is important to note that this is a cumulative update for Internet Explorer.  Multiple vulnerabilities are addressed by this bulletin.  With each patch, administrators should test the patch to ensure functionality is not broken in Internet Explorer by the fixes.  In the case of this patch, Administrators should deploy this patch immediately to all servers and workstations as the exploit code has been published for the one known vulnerability.

Microsoft typically releases a cumulative Internet Explorer update every other month.  February's patch day would mark the usual schedule for a cumulative release.  Microsoft rolled the fix for the publically known exploit with the cumulative update.

-Jason Miller