Yes, IE8 users, you need that new security update

Yes, IE8 users, you need that new security update

Summary: Microsoft issued a security update for Internet Explorer today ahead of the normally scheduled release on Patch Tuesday, April 13. Out-of-band updates are relatively rare, and reserved for vulnerabilities that are are being actively exploited. If you have Internet Explorer, here's why you need it.

TOPICS: Browser, Microsoft

Microsoft issued a so-called out-of-band update for Internet Explorer today. In plain English, that means the update is being pushed out via Windows Update and Microsoft Update ahead of the normally scheduled release on Patch Tuesday, April 13. Out-of-band updates are relatively rare, and reserved for vulnerabilities that are are being actively exploited.

If you're using IE8 on any platform, including Windows 7, you need the updates described in Microsoft Security Bulletin MS10-018. If you heard otherwise, it's understandable. Microsoft has issued some confusing public statements on this matter. Here's a quick explainer.

According to the security bulletin:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. [emphasis added]

If you scroll down to the Affected Software section, you'll see these two entries under the Internet Explorer 8 heading:

Operating System Maximum Security Impact Aggregate Severity Rating
Windows 7 for 32-bit Systems Remote Code Execution Critical
Windows 7 for x64-based Systems Remote Code Execution Critical
So why the confusion? In the blog post that provided advanced notification of the fix, the Microsoft Security Response Center said:

MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory …

Indeed, IE8 is unaffected by that one issue. But MS10-018 is a cumulative update that also includes fixes for nine privately reported and previously undisclosed vulnerabilities in all versions of Internet Explorer, including IE8.

If you have Automatic Updates turned on, this should be delivered to you today or tomorrow at the latest. The update isn't large, and a restart is required after installation, so if you don't want an unexpected reboot, go get it now by checking Windows Update manually.

Topics: Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 10 years - or so?

    We've been bombarded with MS insecurities for over 10 years. And the IT industry / pundits STILL doesn't get it?

    MS is insecure by design, and dangerous to use.

    Kind of sad that we put people on the moon decades ago, and we still have to endure this MS crap.
    • they'll never get it....

      they spin more than a wind turbine in a hurricane to keep defending the cr*p.
    • go ahead.. big head.. develop ur own Design

      need I say more.. :)
    • Meanwhile

      The 700MB+ update I downloaded for OS X today fixed 88 separate vulnerabilities. Some of them allowed exploitation simply by visiting a web site.

      Just sayin'.
      Ed Bott
      • Oh really.

        My download for Snow Leopard was 482 Mbs. And as for the 88
        vulnerabilities, where did you pull that from your hat? I went to the
        APPLE KB site & noticed not all those patches were meant for Snow
        Leopard. It was pretty much mixed, some for Snow leopard, some for
        Tiger, & some for OS X Server. Mister Bott, it's high time you give it up
        with your lies. 88 exploits for the Mac & never was I pwned. Unlike the
        millions worldwide that were being affected by this MSFT exploit for
        weeks, maybe even months. Again, MSFT is ReActive, whereas APPLE is

        Mister Bott, your credibility with me, IS SHOT.
        • Same with you

          ^ There is your information. He never said they were all for Snow Leopard.

          [i]"Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.

          The Mac OS X v10.6.3 update, which is considered ?critical,? covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks."[/i]
          The one and only, Cylon Centurion
        • Mac OSX has security holes you can drive a truck through

          But we both know the hackers don't pick on the 4 or 5% of market share the mac has when they can go after 90%. If Ed wasn't running the latest updates already its conceivable his download could be larger. So please grow up, you sound like a 13 year old in a flame war.
          I use and love my MacBook Pro, I think Snow Leopard is a great OS, but so is Win 7. Apple is known for taking its time fixing security flaws and you probably know it. A totally secure OS is probably a pipe dream at this stage, MSFT problems are compounded by a need for backward compatibility because of the enterprise specific apps which depend on components of Windows. Personally I'm happy OSX still has a fairly small market share, it makes the vulnerabilities it has less likely to be exploited.
        • Ed's credibility is shot? because he's not a kool aid drinking fanboy?...

          who would've thought?

          Um, if Apple was "proactive" they would have addressed the issues before they were issues, and no download to fix the issues would have been necessary, on Ed's or your's part...whether it's 700mb or "482mb" or whatever.

          700mb or 482mb, that's alot of other o/s's entire image sizes, and they're not in the news for fixing 88 vulnerabilities.

          How credible is your "shot credibility" really?
        • Apple is slower to fix problems than MS

          and MS is slow........
          Choking on that Apple yet?
        • O RLY?

          "Again, MSFT is ReActive, whereas APPLE is

          Is that why Charlie Miller used an explot he'd known about for over a year to crack Safari in 2009?

          Just sayin'.
          Sleeper Service
        • 784MB

          Here, see for yourself:

          Ed Bott
          • can't we all just get along?

            the vast majority of your readers do NOT believe
            you are on microsoft's payroll or a member of
            any anti-apple cabal

            to those few who fail to find your articles
            unbiased, up-to-the-minute, essential news, why
            do they read you or anyone else at zdnet in the
            first place?

            anger wins neither minds nor hearts
            ...misplaced anger even less so...

            thank you for doing a great service...and for
            calmly responding to personal attacks with
            civility and facts
      • Article was about Microsoft, not Apple...

        but we'll give you a "C" for attempted spin. Actually, upon further review we had to dock you a full letter grade since it was your article and you should have actually known what it was about. "D" it is.
        • Any reason your want to avoid the comparison? (nt)

          • Sure, simple...

            Whenever the comparison is brought up in the reverse direction, the NBMers bet their panties all in a twist. It's understandable that people want to be hypocritical about their religion, but it's also understandable for people like me to stand there and point it out when it happens.
          • simple ... shows that apple is not bitten anymore only

            ... its rotten as well
        • Replying to a Talkback

          Sheesh. Can't you follow a thread?

          The original comment said "We've been bombarded with MS insecurities for over 10 years." I pointed to another OS that will celebrate its 10th anniversary in less than a year and is still releasing frequent security updates: 88 of them just this week, in one humongous package.

          Get it now?
          Ed Bott
      • Just sayin....

        ...nothing that's ever been exploited in the wild.

        Meanwhile, over the last decade or so, IE's flaws have fueled the entire
        hacker/spammer/criminal cyber infrastructure.

        I've been hearing this same silliness for 20+ years, and meanwhile all of
        my Mac systems have enjoyed a low-maintenance virus-free, malware-
        free existence, while we spent inordinate amounts of time and money on
        licenses to protect them.

        Just sayin.... :)
    • And MS software are still the software requiring the *fewest* patches

      Try to spin it every time MS patches something,
      but the fact remains.

      Internet Explorer is still hit with <b>far
      fewer</b> vulnerabilities than e.g. the
      "secure" alternative, Firefox.

      Chrome and Safari has not yet reached a market
      share to attract the same level of scrutiny as
      the two top browsers

      With operating system, Windows Vista/7 are the
      popular operating systems with the fewest
      vulnerabilities. 3 times less than OSX and only
      half those of Linux (kernel - not a full

      So you were saying?

      And just to set this straight: In this latest
      patch, only 2 (two!) are for the newest
      combination IE8/Windows 7. The rest is
      distributed on various other combinations of
      browser and operating systems, with IE6 on
      WinXP being hit with the worst. I'd say that is
      a testament to the attention MS has on security
      as of lately.
      • "Hit" with fewer vulnerabilities?

        Could you define "Hit" in this context? as it may indeed have fewer
        vulnerabilities, it would appear to me it is "hit" far more 99.999% of all
        trojans, virus and other malware appears to "hit" the windows platform
        does it not?