Microsoft set to release critical IE patch today

Microsoft is issuing on January 21 an out-of-band (meaning, not tied to a regular Patch Tuesday) fix for the Internet Explorer security breach that affected Google and other companies in China. Microsoft plans to make the fix, designated as "critical," available as close to 10 a.m. PST as possible, officials said.

Update (9 a.m. PT): The patch is out. Steven Bink of Bink.nu fame, has links to all the various versions available for download.

While Microsoft officials say the "only successful attacks" have been against customers running IE6, the fix also applies to IE7 and IE8.

Here's the official word, via a Microsoft spokesperson:

"(W)e will be releasing MS10-002  (on) January 21, 2010. We are planning to release the update as close to 10:00 a.m. PST as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released."

Microsoft also updated Security Advisory 979352 to include information about additional products that may be affected by this vulnerability and guidance related to reports of proof of concept (POC) code that bypasses Data Encryption Protection (DEP), the spokesperson said.

My blogging colleagues Ed Bott and Ryan Naraine have been covering this issue in more depth over the past few days, for those who want more information and background.