We're not even really sure if the reports of new exploits affecting Internet Explorer browsers are actually valid, but in case they are, Microsoft will issue a patch that addresses the problem those exploits may be targeting.
It's the kind of development that could give "zero-day" a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero. Still, the subject matter is of some concern: the apparent ability of an ActiveX control -- for the dozens upon dozens of sites that still use them -- to leave code in memory after cleanup that's still capable of being executed without privilege.
Rather than take a chance on all these reports being false, Microsoft is taking the step of patching the Web browser anyway, categorizing the issue as Critical. Tomorrow morning at 10:00 am Pacific Time, 1:00 pm Eastern Time, Microsoft will issue an out-of-cycle patch that addresses the likelihood of the problem. The patch will apply to all versions of Internet Explorer ranging back to IE5.01 Service Pack 4, all the way to IE8 Beta 2; for all versions of the operating system dating back to Windows 2000 SP4.
The good news out of all of this is that the possibility of an exploit has apparently made Microsoft aware of a legitimate problem, or at least something that could become problematic.
A blog post from
Microsoft's security vulnerability team today describes the problem in the greatest level of detail we've seen thus far: "Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data ('heap spray') before the invalid pointer dereference."
Source
Microsoft to issue out-of-cycle patch for the 'unknown exploit' 
Linear Mode
