None of the bulletins this month directly address a zero-day vulnerability found in the wild over the weekend in fully patched versions of Internet Explorer 6, 7 and 8. The flaw allows attackers to gain control of affected machines. The attack comes from malicious Web sites containing content that exploits the vulnerability in visiting browsers, Microsoft says.
The company has issued a workaround but not a patch, and IT departments should make implementing the workaround their top priority, Henry says.
It would be surprising if Microsoft had developed the IE patch already, says Andrew Storms, director of security operations for nCircle. "It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory," he says.
However, it is possible that one of this month's patches will repair operating-system vulnerabilities the IE attack could exploit, says Henry. With the details Microsoft has released so far it's impossible to tell. "If the browser is just a path to an underlying vulnerability in the operating system, then this issue will likely be fixed by one of the patches. If the vulnerability is exclusive to the browser, on the other hand, then this is still something to watch out for," Henry says.
Read more about software in Network World's Software section.