After acknowledging a zero-day bug in Internet Explorer 6 (IE6) and IE7 in early March, Microsoft has notified users that it will ship a so-called "out-of-band" patch for the vulnerability this week.
The advance notice is meant to give IT administrators time to prepare to roll the patch out as soon as it's available.
Microsoft (NASDAQ: MSFT) first publicly recognized the zero-day when it released its latest "Patch Tuesday" bug fixes on March 9. At that time, Microsoft said there were "limited attacks" using the bug exploit in the wild and that the company was busy evaluating the hole.
Microsoft later said on March 15 that it was working on a patch, but wasn't yet finished testing and could not say when it would be released -- although the company hinted that an out-of-band release might be in the works.
An "out-of-band" patch is one that is not released on the second Tuesday of each month, known as Patch Tuesday, but rather as soon as it's ready and tested. These patches are usually urgently needed.
In the meantime, a security researcher who goes by the screen name "Trancer" developed and released a Metasploit module for easy reuse by other hackers.
The bug does not affect IE8. However, IE6 and IE7 are vulnerable running on Windows XP Service Pack 2 or 3 (SP3), as well as Windows Server 2003 SP2, Windows Vista SP1 and SP2. Windows 7 and Server 2008 are not affected. One way to avoid the flaw is to upgrade from IE6 or IE7 to IE8. Microsoft also delivered a "Fix-it" script that will reconfigure some systems to avoid the vulnerability.
Additionally, the out-of-band patch is a cumulative update to IE, so it contains all existing patches for IE, as well as several other privately-reported bug fixes that all rank as "Critical" on Microsoft's four-tier security rating scale.
When it's released, the out-of-band cumulative patch for IE will be available here.