Microsoft Confirms Bug in All Versions of IE - HotHardware
Microsoft Confirms Bug in All Versions of IE

Microsoft Confirms Bug in All Versions of IE

If you’re one of the millions of people who use Internet Explorer, then you’ll probably want to know Microsoft has confirmed an unpatched bug in Internet Explorer that hackers are exploiting. The bug affects Internet Explorer 7 along with older versions of the browser, including the still-widely-used IE6. In a related security advisory, Microsoft confirmed that the bug exists within all of its browsers, including IE5.01, IE6, and IE7, as well as IE8 Beta 2. If you are running any of these browsers under Windows 2000, XP, Vista, Server 2003, or Server 2008, you are at risk.

Even after confirming the bug, Microsoft seems to be trying to downplay the severity of the threat, saying, “At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7.” While we can’t blame them for trying to downplay the attack, we’d much rather that they fix the problem; just because an attack hasn’t hit the other versions doesn’t mean such an attack is that far off.

Apparently, the bug is in IE’s data binding functionality, and not in the HTML rendering code as some early reports from independent security researchers seemed to indicate. According to Microsoft, "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Although we don’t have any official word on when a patch will be available to fix this issue, Andrew Storms, director of security operations at nCircle Network Security Inc., is betting that the company will unveil an emergency out-of-cycle patch. If Storms is right, this will be the first out-of-cycle patch since late October when Microsoft fixed a flaw in Windows that hackers were already exploiting.

We know a few more details about the problem, thanks to a hint from Microsoft, which recommended users disable or cripple the oledb32.dll's function as a stopgap measure. Oledb32.dll is a component of Microsoft Data Access.

For now, users should disable the oledb32.dll file by editing the Windows registry as per the revised Microsoft advisory. Another alternative—setting IE's Internet security zone to High and disabling scripting—won’t necessarily keep one safe from attack, but it will make the exploitation process trickier since these settings protect against attacks that use scripting. 

 

0
+ -

Damn...wonder if the people at my job who said "No Firefox Allowed" on the computers there will flip from this one. Hope it's resolved soon. I personally only use IE like 2% of the time.

0
+ -

Great, I'm not affected as I never use IE, only Firefox. Smile Open source rules!

0
+ -

Silent157:
Damn...wonder if the people at my job who said "No Firefox Allowed" on the computers there will flip from this one.

Why not spice things up at work and print this thread for them as an early Christmas present?Big Smile 

0
+ -

Another way to protect IE is to run it in an Application sandbox like SandBoxIE. Or setup IE to ask you before it allows a website to do something that way you will only allow sites you trust to do stuff.

0
+ -

This is uglySad Hate to see that on any browser

0
+ -

Firefox tops list of 12 most vulnerable apps.

The list:

  1. Mozilla Firefox.
  2. Adobe Flash and Adobe Acrobat.
  3. EMC VMware Player,Workstation and other products.
  4. Sun Java JDK and JRE, Sun Java Runtime Environment (JRE).
  5. Apple QuickTime, Safari and iTunes.
  6. Symantec Norton products (all flavors 2006 to 2008).
  7. Trend Micro OfficeScan.
  8. Citrix Products.
  9. Aurigma Image Uploader, Lycos FileUploader.
  10. Skype.
  11. Yahoo Assistant.
  12. Microsoft Windows Live (MSN) Messenger.

Login or Register to Comment
Post a Comment
Username:   Password: