Unscheduled patches for Microsoft IE and Visual Studio
In a "Security Bulletin Advance Notification" on TechNet, Microsoft announces that two unscheduled security patches for Internet Explorer and Visual Studio will be published on Tuesday, 28 July. This is unusual and indicates a particularly serious security vulnerability, since Microsoft normally provides software updates in batches on the second Tuesday of the month, known as “patch Tuesday”.
Versions 5, 6, 7 and 8 of Internet Explorer, Visual Studio .NET 2003, 2005 and 2008, and Visual C++ 2005 and 2008 running under Windows 2000, XP, Vista and Server 2003 and 2008 are affected. Microsoft will disclose further details of the patches in a webcast on Tuesday at 1 p.m. Pacific Time (10 p.m. CET).
Observers speculate that the urgent patches are connected with a presentation at the Black Hat security conference that opens today in Las Vegas. This discusses vulnerabilities in the communications between individual browser components. A video, launched last night as a preview to the presentation, demonstrates how visiting a web site can open the Windows calculator.
Apparently the authors of the presentation have succeeded in circumventing the kill bit that's meant to prevent the execution in Internet Explorer of ActiveX controls that have known security vulnerabilities. That would open the gates wide to a multitude of critical security vulnerabilities that Microsoft defused by setting the kill bit.