Zero-Day Exploits On IE7 Could Spread To Other Microsoft Browsers

IE5, IE6, and the IE8 beta are also potentially vulnerable, software giant says

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 16, 2008

2 Min Read
Dark Reading logo in a gray background | Dark Reading

The zero-day vulnerability in Internet Explorer 7 can also be found in other versions of the Microsoft browser, but exploits can be avoided through a series of workarounds, Microsoft said yesterday.

The zero-day vulnerability reported last week has led to exploits that are still in the wild, confirmed in a security bulletin issued yesterday. Although the attacks so far have been only against versions of IE7, Microsoft also conceded that IE versions 5, 6, and the 8.2 beta are also potentially vulnerable.

"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," Microsoft says. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Attacks that exploit the vulnerability continue, and there are likely to be more, Microsoft says. "Current trending indicates that there may be attempts to utilize SQL injection attacks against Websites to load attack code on those Website," the company says. Microsoft is recommending a series of "workarounds" that are designed to prevent the attacks:

  • Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.

  • By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High.

  • An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

  • Currently known attacks cannot exploit this issue automatically through e-mail, Microsoft says.

Several reports indicate that the vulnerability was accidentally published by researchers in China, but most experts agree that the flaw was already known by many hackers before the error occurred.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights