For the last two out of three months Microsoft has released an out-of-band patch to fix a critical vulnerability in one of its applications.  Today they are releasing an update to patch a critical vulnerability within Internet Explorer.  The patch addresses an XML handling bug within the browser that would allow an attacker to inject malware onto an unsuspecting user's computer merely by visiting a compromised web site.

Back in October Microsoft also released an out-of-band patch to address a vulnerability in the "Server" service which affected many versions of Windows XP and Windows Server 2003.  This new update is right on the heels of a record setting Patch Tuesday on December 9th where an incredible 28 patches were released with 23 of them carrying a "Critical" rating.

Since I have had a couple of people ask me the question, I figured it was appropriate to address the question here.  That question is "What does an out-of-band patch mean?"  In this context I am referring to an update that is released outside of Microsoft's typical update schedule.  The second Tuesday of every month is widely called "Patch Tuesday."  This is when Microsoft releases its software/application updates for the month.  Many of these patches are security related.  When a patch is released on a day other than Patch Tuesday, like today, it is then considered "out-of-band."

This is an especially critical vulnerability to patch as soon as possible as exploit code has been available and hackers have been taking advantage of this vulnerability for about a week now.  Typically following "Patch Tuesday" is another common term called "Exploit Wednesday" (which is likely when this exploit was released into the wild).  Exploit Wednesday is when new exploits are commonly released which either address new vulnerabilities brought about by the code that was patched or take advantage of existing code issues with the knowledge that Microsoft is typically slow to react to release a patch outside of its normally published schedule.

Test and deploy this patch immediately or encourage your users to use a different browser (such as Firefox or Chrome) until you can deploy the fix.

*** UPDATE 12/18/2008 9:15am MST *** More information here written by SC Magazine which re-emphasizes the importance of rapid patch testing and deployment due to the number of active exploits.