Microsoft Corp. today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers; it was the company's second such admission in the past two months.

Internet Explorer 6 and its 2006 successor, IE7, contain a vulnerability that can be used by attackers to inject malicious code into a Windows PC.

Microsoft listed several recommended actions that users of IE6 and IE7 can take to defend themselves in lieu of a patch. They include

1. modifying access to the "iepeers.dll,"
2. disabling scripting in the browsers and
3. enabling DEP (data execution prevention)

Microsoft fixed eight flaws in Windows and Office Tuesday, but passed on patching one Windows component because it cannot be automatically updated.

The eight bugs patched today were far from the near-record 26 that Microsoft fixed last month when it delivered 13 security updates. Both of Tuesday's bulletins were ranked "important," the second-highest rating in Microsoft's four-step severity scoring system, even though the company acknowledged that the eight vulnerabilities could be used to completely compromise a Windows PC.

[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]

Although security experts recommended that users deploy the Office fix first, several argued today that the Windows update was more interesting because Microsoft declined to patch one of the two pieces of involved software.

MS10-016 fixes a single flaw in Windows Movie Maker, a consumer-grade video editor bundled with Windows Vista, and available as a separate download for users of Windows XP and Windows 7 . Hackers could exploit the bug and hijack the PC by duping users into opening a malicious Movie Maker project file, which uses the ".mswmm" file extension.

While Microsoft patched Movie Maker, it passed over Producer 2003, a downloadable add-on for PowerPoint 2002 and PowerPoint 2003 that allows those presentation makers to play .mswmm files.

Critic says Windows 7 users should block the optional KB971033 update, which would periodically 'phone home' to re-validate the copy of the OS

The update to Windows Activation Technologies (WAT), the anti-counterfeit program formerly known as Windows Genuine Advantage (WGA), has been slammed by critics, including the Internet advocate who blasted Microsoft in 2006 over the daily "phone home" habits of WGA running on Windows XP.

Users whose PCs have already downloaded and installed the WAT update can uninstall it from the Control Panel. The uninstall option is also new for Microsoft's anti-piracy software; in the past, once installed, WGA updates could not be removed.