Microsoft issued a so-called out-of-band update for Internet Explorer today. In plain English, that means the update is being pushed out via Windows Update and Microsoft Update ahead of the normally scheduled release on Patch Tuesday, April 13. Out-of-band updates are relatively rare, and reserved for vulnerabilities that are are being actively exploited.
If you're using IE8 on any platform, including Windows 7, you need the updates described in Microsoft Security Bulletin MS10-018. If you heard otherwise, it's understandable. Microsoft has issued some confusing public statements on this matter. Here's a quick explainer.
According to the security bulletin:
This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. [emphasis added]
If you scroll down to the Affected Software section, you'll see these two entries under the Internet Explorer 8 heading:
|Operating System||Maximum Security Impact||Aggregate Severity Rating|
|Windows 7 for 32-bit Systems||Remote Code Execution||Critical|
|Windows 7 for x64-based Systems||Remote Code Execution||Critical|
MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory …
Indeed, IE8 is unaffected by that one issue. But MS10-018 is a cumulative update that also includes fixes for nine privately reported and previously undisclosed vulnerabilities in all versions of Internet Explorer, including IE8.
If you have Automatic Updates turned on, this should be delivered to you today or tomorrow at the latest. The update isn't large, and a restart is required after installation, so if you don't want an unexpected reboot, go get it now by checking Windows Update manually.