Microsoft Confirms Bug in All Versions of IE

If you’re one of the millions of people who use Internet Explorer, then you’ll probably want to know Microsoft has confirmed an unpatched bug in Internet Explorer that hackers are exploiting. The bug affects Internet Explorer 7 along with older versions of the browser, including the still-widely-used IE6. In a related security advisory, Microsoft confirmed that the bug exists within all of its browsers, including IE5.01, IE6, and IE7, as well as IE8 Beta 2. If you are running any of these browsers under Windows 2000, XP, Vista, Server 2003, or Server 2008, you are at risk.

Even after confirming the bug, Microsoft seems to be trying to downplay the severity of the threat, saying, “At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7.” While we can’t blame them for trying to downplay the attack, we’d much rather that they fix the problem; just because an attack hasn’t hit the other versions doesn’t mean such an attack is that far off.

Apparently, the bug is in IE’s data binding functionality, and not in the HTML rendering code as some early reports from independent security researchers seemed to indicate. According to Microsoft, "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Although we don’t have any official word on when a patch will be available to fix this issue, Andrew Storms, director of security operations at nCircle Network Security Inc., is betting that the company will unveil an emergency out-of-cycle patch. If Storms is right, this will be the first out-of-cycle patch since late October when Microsoft fixed a flaw in Windows that hackers were already exploiting.

We know a few more details about the problem, thanks to a hint from Microsoft, which recommended users disable or cripple the oledb32.dll's function as a stopgap measure. Oledb32.dll is a component of Microsoft Data Access.

For now, users should disable the oledb32.dll file by editing the Windows registry as per the revised Microsoft advisory. Another alternative—setting IE's Internet security zone to High and disabling scripting—won’t necessarily keep one safe from attack, but it will make the exploitation process trickier since these settings protect against attacks that use scripting.