Microsoft has issued a patch, out of its normal security patch cycle, for a critical bug in Internet Explorer versions from 6.0 up to but not including Windows XP Service Pack 2 (SP2).
According to the advisory issued by Microsoft, the bug could allow remote code execution on an affected system. The vulnerability is a buffer overflow in the handling of IFRAME and EMBED tags. By providing oversized source fields for those tags, an attacker could potentially execute arbitrary code on the user's system. The vulnerability's severity is underscored by the fact that this is only the second time that Microsoft has issued an out-of-cycle security patch since it instituted its monthly patch cycles in November 2003.
Note: Users of Windows XP SP2 and IE 5.x are NOT affected by this vulnerability.
Download: Windows ME/98
Download: Windows XP/2000/NT
View: Microsoft KB889669 Article
News source: eWeek