Microsoft Releases Patch for Internet Explorer Zero-Day Vulnerability
Microsoft issues an out-of-band patch for the zero-day flaw affecting Internet Explorer. The IE security fix comes in response to reports hackers have been targeting the Web browser data binding vulnerability for at least a week.Microsoft released a patch Dec. 17 for a zero-day vulnerability affecting Internet Explorer that has been making headlines recently. The vulnerability, which affects every version from IE 5 to IE 8 Beta 2, lies in the browser's data binding function. According to Microsoft, when data binding is enabled-which it is by default-it is possible under certain conditions for an object to be released without updating the array length. This makes it possible to access the deleted object's memory space and cause the browser to exit unexpectedly in a state that is exploitable.
An attacker can exploit the vulnerability via a specially crafted Web page. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user, according to the Microsoft advisory.