Microsoft said it will release an out-of-band patch tomorrow that fixes a remote code execution vulnerability in Internet Explorer 6 and 7 that was announced three weeks ago.
MS10-018 will fix an invalid pointer reference used by the Web browser. This will be a cumulative IE security update that will also fix nine other vulnerabilities in IE that were originally planned for the April 13 Patch Tuesday release.
Microsoft said on March 9 that under certain conditions, the invalid pointer could be accessed after an object is deleted. Using a particular attack, the vulnerability could be exploited for remote code execution. Exploit code has been released to the Metaspolit framework, prompting the emergency patch.
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are affected; IE 8 is not.
"We recommend that customers install the update as soon as it is available," Microsoft said today in an advisory.
In its original advisory, Microsoft said attackers could use spear phishing techniques to lure users to malicious websites where malware would be downloaded onto a victim's machine. The attacker could then have the same user rights as the local user. Microsoft recommended workarounds at the time, including setting the security level for the Internet zone in IE to high, and disabling script and Active X controls.