If you’re using Internet Explorer, take a few minutes today to visit Windows Update and pick up the out-of-band security update, KB960714, released a few minutes ago. (If you’re too busy, at least make sure that Automatic Updates is turned on so you get the patch overnight). This update fixes a critical zero-day vulnerability that is being actively exploited on websites worldwide.
Even if you normally use another browser, you should install this update as soon as possible.
Full technical details, including download links for standalone installers for different combinations of IE and Windows versions, are in this security bulletin.
If you click that link, you’ll notice that there’s no direct download option for those running IE8 Beta 2. The FAQ section says you still need this update:
Is the Windows Internet Explorer 8 Beta 2 release affected by this vulnerability?
Yes. This vulnerability was reported after the release of Windows Internet Explorer 8 Beta 2. Customers running Windows Internet Explorer 8 Beta 2 are encouraged to download and apply the update to their systems.
On my 64-bit Windows Vista system, which is running a post-Beta 2 build of IE8, Windows Update automatically installed the KB960714 update for IE7. I suspect this is normal behavior, but I’ll check with Microsoft to make sure this configuration is correct.
Follow-up: If you’re running a private post-Beta 2 build of IE8, you’ll need to download an updated version of the browser code instead of a standalone update. Assuming you’re an authorized tester, you should get e-mail explaining how to get the new version.
Here’s what the update looks like for systems running the PDC build of Windows 7: