Posted on Wednesday, December 17 2008 @ 16:01 CET by Thomas De Maesschalck
Usually Microsoft rolls out its security updates on Patch Tuesday, the second Tuesday of the month, but today the software giant will release an update for a highly critical IE security flaw. The bug is found in all versions of Internet Explorer and is already being exploited by hackers. More info
at Microsoft TechNet.
The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability. Current trending indicates that there may be attempts to utilize SQL Injection attacks against Web sites to load attack code on those Web sites. If you’re a Web site operation, please review Microsoft Security Advisory (954462), which provides information on tools you can use to analyze your Web site’s code to help protect against SQL Injection attacks.
