Microsoft releases software patch

Microsoft is expected to release a software patch today to fix a zero day flaw affecting Internet Explorer 6 and Internet Explorer 7 that’s been used in targeted attacks for several weeks.

Security update MS10-018, which is like a sequel to MS10-017 only there is no cute kid in it, patches a flaw in Internet Exploder , which is caused by an invalid pointer reference.

The flaw can be accessed after an object is deleted, paving the way for hackers to carry out remote code execution attacks.

Update MS10-018 also fixes nine additional vulnerabilities, some of which affect IE 8, which just happened to be lying around and needed tidying up.

Microsoft says these nine flaws “were responsibly disclosed” and that it isn’t aware of any active attacks that are targeting them.

The latest zero day flaw was revealed on March 9. Redmond said that its impact was limited to “targeted” attacks and it would be dealt with on the usual patch Tuesday. But the exploit code ended up online and Microsoft had to release the patch early.

According to McAfee Labs, unsuspecting Web surfers that visited the domain were served up a drive-by download of a Trojan named notes.exe, which would them create two copies of itself in the Windows temp directory and generate a .DLL file that, when injected into IE, would give attackers remote access.