Microsoft has rolled out a new update for Internet Explorer 9 that fixes a host of different security holes.
Launched yesterday on Microsoft's familiar "Patch Tuesday," the August 2011 Cumulative Security Update for Internet Explorer is a critical one that resolves issues not just in IE9 but in versions 6, 7, and 8 as well, according to a Microsoft blog. The update is available through Windows Update, so IE users who have Windows automatic updates turned on should have already received it.
The patch takes care of five holes in IE that were disclosed in coordination with Microsoft and two others that were publicly revealed. The most serious of the security flaws could let a hacker run code on a remote PC if the user visits a malicious Web page. Microsoft also advises that people who run accounts without administrative rights are generally better protected against these types of exploits.
Beyond patching the security holes, the 21MB update throws in some non-security fixes. One resolves an issue in which IE took a long time to open an e-mail on Outlook's Web App. Another addresses a flaw in IE8 in which the browser may have frozen when opening some pages in Windows 7 or Windows Server 2008 R2.
Due to the critical nature of the security flaws, Microsoft is recommending that individual users who don't have automatic updates turned on install the update manually as soon as possible. IT administrators will also want to roll out the update to their organizations using their own in-house update tools.
Yesterday's Patch Tuesday was a big one for Microsoft and the third largest of 2011, according to security vendor McAfee. The folks in Redmond rolled out 13 security updates to fix 22 flaws that affected Windows, IE, Microsoft Office, the .Net Framework, and Microsoft Developer Tools.
"Overall this Patch Tuesday is on the large side," Dave Marcus, director of security research and communications at McAfee Labs, said in a statement. "Although there are only two critical patches this month, this update comes after the July patches from Oracle and Apple, and there will be another release of critical patches for Adobe Flash Player [on Tuesday], leaving IT administrators with a full plate this summer."
Marcus advises IT admins to place priority on the IE and Windows updates since their related vulnerabilities could "result in remote code execution attacks and can expose users to drive-by download attacks via the browser."