Microsoft issues an out-of-band patch for the zero-day flaw affecting Internet Explorer. The IE security fix comes in response to reports hackers have been targeting the Web browser data binding vulnerability for at least a week.
released a patch Dec. 17
for a zero-day vulnerability affecting Internet
Explorer that has been making headlines recently.
The vulnerability, which affects every version from IE 5 to IE 8 Beta 2,
lies in the browser's data binding function. According to Microsoft,
binding is enabled-which it is by default-it is possible under certain
conditions for an object to be released without updating the array length. This
makes it possible to access the deleted object's memory space and cause the
browser to exit unexpectedly in a state that is exploitable.
An attacker can exploit the vulnerability via a specially crafted Web page.
An attacker who successfully exploited this vulnerability could gain the same
user rights as the logged-on user, according to the Microsoft advisory.
Click here to read more about how
hackers are using legitimate sites to exploit the Internet Explorer flaw.
"This out-of-band security update is not cumulative," Microsoft
officials stated in the advisory. "To be fully protected, customers should
apply this update after applying the most recent cumulative security update for
Internet Explorer. This update, MS08-078, will be included in a future
cumulative security update for Internet Explorer."
Reports of attacks targeting the vulnerability began to surface the week of
Dec. 8, and over the weekend, hackers were found to be compromising legitimate
Web sites as part of their efforts to infect vulnerable users. McAfee
reported Dec. 17 that a number of variants of the exploit
including one that uses malicious Word document files.
For those who cannot quickly deploy the patch,
Microsoft has made information available about a number of workarounds and
mitigations, including restricting Internet Explorer from using
OLEDB32.dll with an Integrity Level ACL
and disabling X M L Island functionality.