Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
IE5, IE6, and the IE8 beta are also potentially vulnerable, software giant says
2 Min Read
The zero-day vulnerability in Internet Explorer 7 can also be found in other versions of the Microsoft browser, but exploits can be avoided through a series of workarounds, Microsoft said yesterday.
The zero-day vulnerability reported last week has led to exploits that are still in the wild, confirmed in a security bulletin issued yesterday. Although the attacks so far have been only against versions of IE7, Microsoft also conceded that IE versions 5, 6, and the 8.2 beta are also potentially vulnerable.
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," Microsoft says. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."
Attacks that exploit the vulnerability continue, and there are likely to be more, Microsoft says. "Current trending indicates that there may be attempts to utilize SQL injection attacks against Websites to load attack code on those Website," the company says. Microsoft is recommending a series of "workarounds" that are designed to prevent the attacks:
Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.
By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High.
An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Currently known attacks cannot exploit this issue automatically through e-mail, Microsoft says.
Several reports indicate that the vulnerability was accidentally published by researchers in China, but most experts agree that the flaw was already known by many hackers before the error occurred.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
About the Author(s)
You May Also Like
More Insights
Webinars
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Events
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024
