Critical IE update available

If you’re using Internet Explorer, take a few minutes today to visit Windows Update and pick up the out-of-band security update, KB960714, released a few minutes ago. (If you’re too busy, at least make sure that Automatic Updates is turned on so you get the patch overnight). This update fixes a critical zero-day vulnerability that is being actively exploited on websites worldwide.

Even if you normally use another browser, you should install this update as soon as possible.

Full technical details, including download links for standalone installers for different combinations of IE and Windows versions, are in this security bulletin.

If you click that link, you’ll notice that there’s no direct download option for those running IE8 Beta 2. The FAQ section says you still need this update:

Is the Windows Internet Explorer 8 Beta 2 release affected by this vulnerability?
Yes. This vulnerability was reported after the release of Windows Internet Explorer 8 Beta 2. Customers running Windows Internet Explorer 8 Beta 2 are encouraged to download and apply the update to their systems.

On my 64-bit Windows Vista system, which is running a post-Beta 2 build of IE8, Windows Update automatically installed the KB960714 update for IE7. I suspect this is normal behavior, but I’ll check with Microsoft to make sure this configuration is correct.

Follow-up: If you’re running a private post-Beta 2 build of IE8, you’ll need to download an updated version of the browser code instead of a standalone update. Assuming you’re an authorized tester, you should get e-mail explaining how to get the new version.

Here’s what the update looks like for systems running the PDC build of Windows 7:

IE8 Security update

9 thoughts on “Critical IE update available

    1. Dave, there are any number of third-party applications that use IE as their engine for viewing HTML content. And it’s possible for another program to invoke IE as well. So better to close that hole so it can’t be exploited through a back door.

  1. Ed, I tried to download the update on a Vista Business PC using the beta of SP2 and IE 8 Beta 2 around 3:00 EST. Windows Update claimed the PC was up to date each time I tried to secure the update. Is there an issue with Vista SP2?

  2. Betsy, I downloaded and installed this notebook via Microsoft Update on a notebook running Service Pack 2 Beta. On another system (Vista SP1), I had to check for updates several times before it appeared. So it might just be the server not cooperating. Try again.

  3. Thank you, Mr. Bott, for informing this news.
    It would have been great if I could have visited your blog a few hours earlier, since this would have prevented a few viruses infecting my system.

Comments are closed.