This week, Microsoft released security bulletin MS09-034 without waiting for the next scheduled Patch Tuesday on Aug. 11. According to the Redmond company, this patch is rated "Critical" for IE 6/7/8 on XP and IE 7/8 on Vista. (While the Windows 7 release to manufacturing (RTM) version is unaffected by the problem, the Windows 7 release candidate does requiring patching.)

You may already have applied "killbits" from Microsoft security bulletin MS09-032 , which was released on this month's regular Patch Tuesday, July 14. In theory, these killbits should protect you against certain ActiveX exploits already circulating on the Internet.

Microsoft's Security Research & Defense blog recommends that you retain the killbits, if you did install them, and also apply this week's update. The group says this will provide an added layer of "defense in depth" patches.

On the other hand, if you haven't yet applied the MS09-032 update, installing this week's out-of-cycle patch means you don't have to install the previous one.

Why did Microsoft rush out an update for a problem that most admins have already patched? The reason was revealed yesterday afternoon in Las Vegas. A presentation at the Black Hat Security Conference by security researchers Ryan Smith, Mark Dowd, and David Dewey showed that the previous killbit fix could be evaded by malware.

In their blog post announcing the talk, the researchers described how they had found a vulnerability in Microsoft's Visual Studio Active Template Library (ATL), which is used by developers to write Windows programs. In a video posted on the researchers' site, they demonstrate how an exploit can take control of a PC, bypassing the killbit.

When Microsoft stated that MS09-032 protected you from known attacks, that's technically true. New attacks, however, are likely to show up very soon, due to the release of the Las Vegas presentation. It would be wise for you to install the more-recent MS09-034 patch right away.