Microsoft released a patch Dec. 17 for a zero-day vulnerability affecting Internet Explorer that has been making headlines recently.
The vulnerability, which affects every version from IE 5 to IE 8 Beta 2, lies in the browser’s data binding function. According to Microsoft, when data binding is enabled-which it is by default-it is possible under certain conditions for an object to be released without updating the array length. This makes it possible to access the deleted object’s memory space and cause the browser to exit unexpectedly in a state that is exploitable.
An attacker can exploit the vulnerability via a specially crafted Web page. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user, according to the Microsoft advisory.
“This out-of-band security update is not cumulative,” Microsoft officials stated in the advisory. “To be fully protected, customers should apply this update after applying the most recent cumulative security update for Internet Explorer. This update, MS08-078, will be included in a future cumulative security update for Internet Explorer.”
Reports of attacks targeting the vulnerability began to surface the week of Dec. 8, and over the weekend, hackers were found to be compromising legitimate Web sites as part of their efforts to infect vulnerable users. McAfee reported Dec. 17 that a number of variants of the exploit are circulating, including one that uses malicious Word document files.
For those who cannot quickly deploy the patch, Microsoft has made information available about a number of workarounds and mitigations, including restricting Internet Explorer from using OLEDB32.dll with an Integrity Level ACL and disabling X M L Island functionality.