Microsoft has released an off-cycle patch for a previously known vulnerability in Internet Explorer which would’ve allowed virus and malware writers to infect computers via specially crafted XML files.  The flaw, which exists in all versions of mshtml.dll from Internet Explorer 5.01 up through Internet Explorer 8, could allow an attacker to run arbitrary executable files on the victim’s computer without their knowledge just by browsing an affected website with Internet Explorer.

Typically Microsoft releases patches every Tuesday, but this patch was deemed critical enough to be released ahead of next week’s cycle, especially given the amount of bad press that Internet Explorer has gotten lately regarding the flaw.

As best I can determine, reports of the vulnerability started to surface sometime around the beginning of December.  ZDNet’s article first published the flaw affecting hacked Chinese language websites on December 9th, 2008.

You may have heard it described earlier this week as a zero day flaw in Internet Explorer.  For the uninitiated, a zero day flaw is simply any critical patch which is known to the general public, but as of yet un-patched.

Original vulnerability report and technical details at CVE: CVE-2008-4844.

Patch details from Microsoft: MS08-078.

This could be a good opportunity for Google to promote Chrome as an alternative.

Filed under: Consumer Web, Enterprise Web, Microsoft, Security