The patch that Microsoft has released is however a cumulative update with patches that will fix Internet Explorer 8 security vulnerabilities as well.

The information posted by Microsoft reads:

MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory

MS10-018 is a cumulative update with the patch for Security Advisory 981374 being one of the patches included in the release. This basically means that Internet Explorer 8 is unaffected by that one vulnerability but affected by others that are included in the cumulative update as well. This is confirmed by the affected and unaffected software listing on the security bulletin page which lists the severity as critical for Internet Explorer 8 as well.

Windows users should install the update as soon as possible to protect their computer system from possible exploits. The update is also available at the Microsoft Download site.

That leaves Windows XP as the main target of the vulnerability which can be used to read files from the operating system if the filename and path are known.

The vulnerability exists due to content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites.

At this time, we are unaware of any attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Microsoft provides access to four different temporary solutions to protect a computer system from the Internet Explorer vulnerability. Solution four is probably the easiest and most convenient solution at this moment.

• Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX Controls and Active Scripting in these zones
  

  To raise the browsing security level in Internet Explorer, follow these steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

  Note If no slider is visible, click Default Level, and then move the slider to High.

  Note Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
  

  To do this, follow these steps:

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Internet, and then click Custom Level.
  4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  5. Click Local intranet, and then click Custom Level.
  6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
  7. Click OK two times to return to Internet Explorer.

  Note Disabling Active Scripting in the Internet and Local intranet security zones may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly.

• Enable Internet Explorer Network Protocol Lockdown for Windows XP
  

  To lockdown the “file” protocol, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
  “explorer.exe”=dword:00000001
  “iexplore.exe”=dword:00000001
  “*”=dword:00000001

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
  “file”=”file”

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
  “file”=”file”

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
  “file”=”file”

• Enable Internet Explorer Network Protocol Lockdown using automated Microsoft Fix It [link]

System administrators can take a look at the vulnerability information page for further information about and impact of the vulnerability.

The vulnerability has also been used in an attack earlier this month on several popular US companies that included Google and Adobe. The patch does not seem to have been made available via Windows Update yet. This is likely to happen in the next couple of hours.

Windows users are encouraged to download the patch from the appropriate support pages to close the vulnerability in their computer system.

• Internet Explorer 8 (Windows XP 64-bit, Windows XP 32-bit, Windows Vista 32-bit, Windows Vista 64-bit, Windows 7 32-bit, Windows 7 64-bit
• Internet Explorer 7 (Windows XP 32-bit, Windows XP 64-bit, Windows Vista 32-bit, Windows Vista 64-bit
• Cumulative Security Updates for Windows XP 32-bit, Windows XP 64-bit

Users with Internet Explorer 6, Windows Server 2003 or Windows Server 2008 can find the whole list of patches at Bink.nu. Internet Explorer 6 and IE 7 users should also consider updating their web browser to Internet Explorer 8 if possible.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Microsoft is currently working on a patch to fix the vulnerability with the likelihood that the patch will be released out of their usual patch cycle as an emergency patch.

The patch confirmation page lists several mitigating factors but the safest option right now is to switch to a different web browser at least for as long as no patch is provided to protect the computer system from the vulnerability.

This security update is being released out of band in conjunction with Microsoft Security Bulletin MS09-035, which describes vulnerabilities in those components and controls that have been developed using vulnerable versions of the Microsoft Active Template Library (ATL). As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035.

This security update also resolves three privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on supported editions of Microsoft Windows 2000; Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows XP; Critical for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Vista; Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 running on supported editions of Windows Server 2003; and Moderate for Internet Explorer 7 and Internet Explorer 8 running on supported editions of Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Windows users should make sure to download the security update as soon as possible. It is available at the usual sources including automatic updates, Windows Update or Microsoft Update.

The security vulnerability affects only Windows XP and Windows Server 2003 systems. Computer systems running Windows Vista, Windows Server 2008 or Windows 7 are not affected because “the ability to pass data to this control within Internet Explorer” is restricted in these operating systems.

A successful attack will give the attacker the same user rights as the currently logged in user. Microsoft has issued a workaround for the Internet Explorer vulnerability that can be applied manually or using Microsoft Fix It.

The fastest way to patch the security vulnerability is to use the Microsoft Fix It script that will perform all the actions of the workaround automatically. The fix will basically remove support for the ActiveX Control in Internet Explorer. This should not have any impact on the web browser’s functionality according to Microsoft.

While this works as intended in the 32-bit edition of Windows Vista it does not in the 64-bit edition as it is still possible for users to access Internet Explorer from the Windows start menu. The hotfix corrects the issue so that the function is working as intended on 64-bit editions of Windows Vista as well.

The second problem affects the 64-bit editions of Windows Vista, Windows Server 2003 and Windows Server 2008. Microsoft describes the problem the following way:

The Image Delivery server that runs the 64-bit version of Windows Server 2008 or of Windows Server 2003 stops delivering images when you deploy an operating system by using an image-based installation method

The hotfix can also be downloaded directly by visiting the Microsoft Knowledge Base article.