If you’re like me, you were very surprised to find an update awaiting your installation of Windows 7, including Internet Exploder 8, because the various places that concern themselves with Microsoft updates had reported, as recently as last evening, that the systems affected would be the ones that had Internet Exploder 6 and Internet Exploder 7 on them, which, barring any user weirdness, would leave out any Windows 7 system.

But I looked at the notification, and all appeared to be well, so I downloaded it, and rebooted as necessary (meaning that some important files were being replaced!). The download was a tad under 15 megabytes, so it actually could have been most of the files that comprise Internet Exploder 8.

I actually thought no more of it until I read a piece by Ed Bott, on ZDNet, where he explains that Microsoft was being very odd with their descriptions, or purposely obtuse –

Microsoft issued a so-called out-of-band update for Internet Explorer today. In plain English, that means the update is being pushed out via Windows Update and Microsoft Update ahead of the normally scheduled release on Patch Tuesday, April 13. Out-of-band updates are relatively rare, and reserved for vulnerabilities that are are being actively exploited.

If you’re using IE8 on any platform, including Windows 7, you need the updates described in Microsoft Security Bulletin MS10-018. If you heard otherwise, it’s understandable. Microsoft has issued some confusing public statements on this matter. Here’s a quick explainer.

According to the security bulletin:

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6 Service Pack 1, Internet Explorer 6 on Windows clients, Internet Explorer 7, and Internet Explorer 8 on Windows clients. [emphasis added]

If you scroll down to the Affected Software section, you’ll see these two entries under the Internet Explorer 8 heading:

Operating System     Maximum Security Impact     Aggregate Severity Rating

Windows 7 for 32-bit Systems   Remote Code Execution Critical

Windows 7 for x64-based Systems   Remote Code Execution  Critical

So why the confusion? In the blog post that provided advanced notification of the fix, the Microsoft Security Response Center said:

MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory …

Indeed, IE8 is unaffected by that one issue. But MS10-018 is a cumulative update that also includes fixes for nine privately reported and previously undisclosed vulnerabilities in all versions of Internet Explorer, including IE8.

If you have Automatic Updates turned on, this should be delivered to you today or tomorrow at the latest. The update isn’t large, and a restart is required after installation, so if you don’t want an unexpected reboot, go get it now by checking Windows Update manually.

So that tells the tale. If Microsoft had been a bit more careful in their description, an entire batch of writers would not have dismissed the update as not affecting the Windows 7 crowd. Of course, if you have Secunia Personal Inspector installed, expect it to complain either today or tomorrow if you don’t have the updates installed.

At least for the day, Internet Exploder 8 is safe. What a feeling!


Download Opera – A faster and more secure Web browser.


≡≡ Ḟᴵᴺᴵ ≡≡