Microsoft has released its scheduled security patches for April, including one designed to address an unpatched bug in the Internet Explorer browser that had been exploited for a number of weeks.
In all, the company released five patches to address critical vulnerabilities in Explorer and other elements of Windows.
The Explorer patches include a fix for a vulnerability that malware writers had exploited by tricking users into visiting sites that took advantage of the bug, which then downloaded unauthorised software onto their PCs.
Security suppliers eEye Digital Security and Determina had already taken advantage of Microsoft’s inaction to create patches to address the vulnerability, resulting in hundreds of thousands of downloads by worried consumers.
Microsoft also released patches for a similarly critical vulnerability in the way Windows Explorer handles Component Object Model objects and for a vulnerability in an ActiveX control called RDS.Dataspace, which is distributed with the Microsoft Data Access Components.
Microsoft has taken flak over its decision to wait until its scheduled update before issuing a patch. Time will tell how effective – or mistaken – that strategy will prove to be.