The company will issue an update to fix a security flaw in the browser’s cross-site scripting (XSS) filter which, if left unfixed, would put users at risk of malicious software.

Microsoft said that the update will be released in June to fix the hole that researchers warned about at the Black Hat Europe conference in Barcelona last week. The researchers showed how problems with the filter could be used to inject malicious code on to sites including Google, Microsoft’s Bing search site and Twitter.

“The XSS Filter related Black Hat EU presentation discussed a vulnerability that was previously disclosed and addressed in the January security update to Internet Explorer (MS10-002),” David Ross wrote on the Microsoft Security Response Center blog.

“Like many security issues – take malware as an example – attack vectors are always a moving target.  The role of the browser maker is to do everything we can to keep people safe without them having to do a lot of extra work.”IE to us

After Microsoft admitted that it was a flaw in its browser that was exploited by hackers looking to launch an attack on Google systems, Microsoft will today (Thursday) take the rare step of releasing a critical security update early, with the update not due until February 9.

The update will be released at approximately 10am PST and comes after a number of high profile groups, including the governments of Australia, France and Germany, called for users to use alternative browsers to Internet Explorer, which has around 62.3% of the worldwide browser market. Following the announcement, both Mozilla Firefox and Opera, browsers which both claim user security as a selling point, saw notable spikes in the number of downloads.

“This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of critical,” said Microsoft security programme manager Jerry Bryant.

“It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicised.”

Microsoft have continued to refute claims that Internet Explorer is unsafe.

Microsoft admitted that a security hole in the browser, which makes up around 62.3% of the worldwide web browser market, was exploited by those who initiated the attack on Google services last week but the software giant has rejected the warning from the German Federal Office for Information Security.

The company claimed that the risk to users was low and that the browsers’ increased security setting would prevent any serious risk, a claim that the German authorities have refuted however, claiming that even this would not make Internet Explorer fully safe. They have proposed that users find alternative browsers, such as Mozilla Firefox, Google Chrome or Safari.

Thomas Baumgaertner, a spokesman for Microsoft in Germany, said that while they were aware of the warning, they did not agree with it, saying that the attacks on Google were by “highly motivated people with a very specific agenda”.

“These were not attacks against general users or consumers,” said Mr Baumgaertner.

“There is no threat to the general user, consequently we do not support this warning,” he added.

Microsoft says the security hole can be shut by setting the browser’s security zone to “high”, although this limits functionality and blocks many websites.

The company is also working on a fix for the bug and has not ruled out an “out of schedule” security update. The company usually issues updates on a monthly basis, with the next update due on February 9.

The latest update, which like other Microsoft updates is being released on the second Tuesday of the month, will include thirteen security bulletins to fix 34 known flaws, predominantly closing a loophole exposed with the running of Internet Explorer 8 browser in Windows 7.

In particular, Microsoft have stated that the update will fix two critical loopholes, these being Vulnerabilities in SMB Could Allow Remote Code Execution (975497) and Vulnerabilities in the FTP Service in Internet Information Services (975191).

Flaws in Microsoft Office, Silverlight, Forefront, Developer Tools, and SQL Server will also be fixed by the new update.

The biggest update issued previously by Microsoft’s was released in June 2009, with 10 bulletins designed to tackle 31 vulnerabilities.

Most users will get the updates automatically but download links are also available on Microsoft’s security pages. Once applied to a PC, the machine will need to be re-started before the fixes take effect.

Users are recommended to perform a virus scan with their antivirus software prior to downloading the updates, which will be issued at 10:00am PDT (UTC -8).

Microsoft, who usually release security updates in one monthly release, opted to draw attention to a specific flaw in Internet Explorer which could allow a hacker to secretly take remote control of a user’s PC, urging customers to update their systems as early as possible.

The flaw, which is exploited when a victim unwittingly visits an infected website, potentially allows hackers to remotely take control of victims’ machines.

It’s thought that cyber-criminals have been attacking the vulnerability, which is found in the video playback system in Internet Explorer, for nearly a week, with thousands of sites reportedly hacked to serve the malicious code and users being tempted into visiting by a spam email campaign.

It isn’t the first time that Microsoft has issued security warnings outside of their usual security release, issued on the second Tuesday in the month. Last October, the company issued a number of warnings over the Conficker worm amid fears over the virus’s capabilities. Ultimately, the virus was not as powerful as first thought, being used predominantly to fake antivirus software scams and push spam email campaigns.

Microsoft urged vulnerable users to disable the problematic part of its software, which can be done from Microsoft’s Web site, while the company works on a “patch” – or software fix – for the problem.

Users are advised to update their antivirus software and close the loophole manually. Details on how to do this are available at http://support.microsoft.com/kb/972890#FixItForMe