An advance notification of the patch published Tuesday describes it as
protection for a "remote code execution" vulnerability. The move
follows Microsoft's security advisory posted last Wednesday and updated Monday explaining the vulnerability and suggesting temporary "workarounds" for protection.
The flaw can be used to let attackers steal personal data such as
passwords if a user visits a compromised Web site, of which at least
10,000 are thought to already exist. Thus far, the vulnerability has
been used primarily for grabbing gaming passwords for black market
sales. The hole could, however, potentially also be used to steal more
sensitive information such as banking passwords and other private
Microsoft's emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center.
All users of IE5, 6, and 7 are advised to install it. A separate patch
is expected to be made available for users of IE8 Beta 2. Expect to see
far more detail by midday Wednesday when Microsoft officially issues
its security bulletin.