The version of Internet Explorer 7 included by default into Windows Vista is opened to attacks from specially crafted malicious web pages via no less than two vulnerabilities. However, Microsoft revealed that the risk is generalized for all supported editions of IE including Internet Explorer 5.01 and Internet Explorer 6 SP1 and SP2, as well as Internet Explorer 7 for Windows XP SP2 and Windows Server 2003. In the August Cumulative Security Update for Internet Explorer, Microsoft patched no less than three vulnerabilities impacting IE, via a security bulletin with a maximum severity rating of Critical.

"This update addresses 3 remote code execution vulnerabilities. This bulletin also includes killbits for some vulnerable third-party ActiveX controls. These have been set at the request of the owners. This updated is rated "Critical" for IE 5.01, IE6 Service Pack 1 on Windows 2000, IE6 and Windows XP; "Moderate" for IE6 on Windows Server 2003; "Important" for IE7 on Windows XPSP2 and IE7 in Windows Vista; "Low for IE7 on Windows Server 2003. This update also addresses an unexpected "Save File" security dialog experienced by some users upon launching Internet Explorer after relocating the "Temporary Internet Files" folder to a custom location," explained Terry McCoy, Program Manager Internet Explorer Security.

The Critical CSS Memory Corruption Vulnerability affects only Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 and no other IE version. However, the ActiveX Object and ActiveX Object Memory Corruption vulnerabilities open up for attacks IE6 and IE7. Still, one mitigating factor in this regard is the fact that all three vulnerabilities have been privately reported to Microsoft. The company did not offer any information that might lead to the conclusion that any of the three security vulnerabilities have been exploited in the wild.

"IE security updates are cumulative and contain all previously released updates for each version of Internet Explorer. I encourage everybody to download this security update and other non-IE security updates via Windows Update or Microsoft Update. Windows users are also strongly encouraged to configure their systems for automatic updates to keep their systems current with the latest updates from Microsoft," McCoy added.