As a recap, these patches fix a pointer-reference issue in the Internet Explorer data-binding routines within their XML rendering engine. This allows a specially crafted web page or html-based email to break your un-patched Internet Explorer and install programs on your computer. We have seen two systems since last night that have been possibly exposed due to this issue. Fortunately, for both cases, the installed software was malware and our enterprise protection systems caught them and alerted us.

We reviewed the information that Microsoft posted during their webcast and the take-away is there are two critical patches that should be installed on your Windows-based desktops and servers. This should be done as soon as possible. Every system that we have applied these patches to have required a reboot so plan accordingly. The fastest way to get these patches is to visit Microsoft.s Update site at: http://update.microsoft.com and follow the prompts to perform an express application of all critical updates. If your situation requires careful application of the patches (such as on servers or on systems with custom or older business applications) then you should set up a test system and use the custom option to apply only the MS08-073 (958215) and MS08-078 (960714) patches.

Even after installing the updates, please use safe browsing practices. Your servers should never be used for web-browsing except for updates from trusted web sites (such as Microsoft). Your users should be logged into their desktop or remote sessions as non-administrator level users. Systems administrators should have separate administrator-level accounts to help limit risks during their daily activities.

ORIGINAL MESSAGE
Several news reports have broken today that a vulnerability exists in Internet Explorer. This issue has the potential to expose passwords stored in your Internet Explorer (version 5 up through the new 8 beta) and it will generate a lot more press before the situation is over. We just received the Microsoft Partner notification this afternoon and we will receive more information on Wednesday during an emergency security webcast with Microsoft.

At the moment, the safest thing to do is to limit your web browsing activities with Internet Explorer either by abstaining from unnecessary non-business web browsing or by installing an alternate web browser such as FireFox, Opera, or Safari.

We expect to have more details tomorrow afternoon. Meanwhile, we encourage you to not overreact but to be extra vigilant in your activities on the Internet. Some things to consider: many of your Internet or Extranet line-of-business applications require Internet Explorer or Active-X plugins that may not be available in other browsers. Switching browsers when trying to use these web-based applications could cause a issue with your business applications. Also, all web browsers, as with any software product, will have security holes exposed. The fact that Internet Explorer is having this exposure speaks to its widespread use. Fortunately, it is backed by a company that is taking responsible action in maintaining security patches and security teams to work with these situations. Most of the others browsers are based on open-source projects . which have extremely good merits, but are supported by volunteers whose time may not be available to support your business critical needs.