CATEGORIES
home News

Microsoft Confirms Bug in All Versions of IE

by Jennifer JohnsonSaturday, December 13, 2008, 10:00 PM EDT

If you’re one of the millions of people who use Internet Explorer, then you’ll probably want to know Microsoft has confirmed an unpatched bug in Internet Explorer that hackers are exploiting. The bug affects Internet Explorer 7 along with older versions of the browser, including the still-widely-used IE6. In a related security advisory, Microsoft confirmed that the bug exists within all of its browsers, including IE5.01, IE6, and IE7, as well as IE8 Beta 2. If you are running any of these browsers under Windows 2000, XP, Vista, Server 2003, or Server 2008, you are at risk.

Even after confirming the bug, Microsoft seems to be trying to downplay the severity of the threat, saying, “At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7.” While we can’t blame them for trying to downplay the attack, we’d much rather that they fix the problem; just because an attack hasn’t hit the other versions doesn’t mean such an attack is that far off.

Apparently, the bug is in IE’s data binding functionality, and not in the HTML rendering code as some early reports from independent security researchers seemed to indicate. According to Microsoft, "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Although we don’t have any official word on when a patch will be available to fix this issue, Andrew Storms, director of security operations at nCircle Network Security Inc., is betting that the company will unveil an emergency out-of-cycle patch. If Storms is right, this will be the first out-of-cycle patch since late October when Microsoft fixed a flaw in Windows that hackers were already exploiting.

We know a few more details about the problem, thanks to a hint from Microsoft, which recommended users disable or cripple the oledb32.dll's function as a stopgap measure. Oledb32.dll is a component of Microsoft Data Access.

For now, users should disable the oledb32.dll file by editing the Windows registry as per the revised Microsoft advisory. Another alternative—setting IE's Internet security zone to High and disabling scripting—won’t necessarily keep one safe from attack, but it will make the exploitation process trickier since these settings protect against attacks that use scripting. 

 

Tags:  Microsoft, Internet Explorer
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment