The zero-day vulnerability reported last week has led to exploits that are still in the wild, confirmed in a security bulletin issued yesterday. Although the attacks so far have been only against versions of IE7, Microsoft also conceded that IE versions 5, 6, and the 8.2 beta are also potentially vulnerable.
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," Microsoft says. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."
Attacks that exploit the vulnerability continue, and there are likely to be more, Microsoft says. "Current trending indicates that there may be attempts to utilize SQL injection attacks against Websites to load attack code on those Website," the company says. Microsoft is recommending a series of "workarounds" that are designed to prevent the attacks:
- Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
- By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High.
- An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
- Currently known attacks cannot exploit this issue automatically through e-mail, Microsoft says.
Several reports indicate that the vulnerability was accidentally published by researchers in China, but most experts agree that the flaw was already known by many hackers before the error occurred.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message