Microsoft to Patch IE Zero-Day Vulnerability
Microsoft is prepping a security patch for a zero-day vulnerability in the Microsoft Internet Explorer Web browser. The out-of-band patch is slated to be ready Dec. 17 and will fix a data binding problem being attacked by hackers.Microsoft will release a patch tomorrow, Dec. 17, for a zero-day vulnerability affecting Internet Explorer that has been under attack by hackers. The vulnerability, which affects all supported versions of IE, lies in the browser's data binding function. According to Microsoft, when data binding is enabled-which it is by default-it is possible under certain conditions for an object to be released without updating the array length. This makes it possible to access the deleted object's memory space and cause the browser to exit unexpectedly in a state that is exploitable.
"At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," Christopher Budd, Microsoft's Security Response Communications lead, said in a statement. "Microsoft encourages customers to test and deploy this update as soon as possible."