Microsoft will release a patch tomorrow, Dec. 17, for a zero-day vulnerability affecting Internet Explorer that has been under attack by hackers.
The vulnerability, which affects all supported versions of IE, lies in the browser’s data binding function. According to Microsoft, when data binding is enabled-which it is by default-it is possible under certain conditions for an object to be released without updating the array length. This makes it possible to access the deleted object’s memory space and cause the browser to exit unexpectedly in a state that is exploitable.
“At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7,” Christopher Budd, Microsoft’s Security Response Communications lead, said in a statement. “Microsoft encourages customers to test and deploy this update as soon as possible.”
In the meantime, Microsoft has made information available about a number of workarounds and mitigations for IE users.
Reports of attacks targeting the vulnerability began to surface the week of Dec. 8. In the latest twist, hackers have begun using legitimate Web sites to target the IE flaw. Over the weekend, Microsoft reported a significant increase in the number of users affected by the attack, and researchers at Trend Micro reported that as many as 6,000 Web sites had been infected.
“Looking at the fact that Microsoft shipped an out-of-bound patch for MS 08-067, and the fact that malware targeting MS 08-067 did not nearly infect the amount of machines that the new IE 0-day has, Microsoft’s decision to ship an emergency update patch is to be applauded,” Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, said in a statement. “It also shows that the wormability of a vulnerability is no longer a good indicator of the seriousness of a threat and that these Web-based threats are now much more dangerous than network worms, as I stated during the initial outbreak of the MS 08-067 malware.”