Internet Explorer 6 and 8 also affected by zero-day vulnerability
Microsoft says Internet Explorer 5.01, 6 and 8 (beta) are also potentially susceptible to the zero-day exploit, published recently. Until now it had been assumed that only Internet Explorer 7 contained the vulnerability. However, no attacks on versions 6 and 8 have yet been observed. As a result of revising its security instructions for different versions, Microsoft has highlighted further measures users can take to defend their systems against attacks until a patch is provided.
Microsoft recommends that Data Execution Prevention (DEP) and memory protection be enabled in Internet Explorer 7 (Tools/Internet Options/Advanced/Enable memory protection...), but this can only be done in the browser itself in the 32-bit version of Vista. In the 64-bit version of Vista, DEP is automatically globally enabled. Configuring this option via browser settings is not a possibility under Windows XP. Instead, users have to activate DEP for the complete system via System/Advanced/Performance/Settings/Data Execution Prevention.
However, H. D. Moore has recently published a Metasploit module for the exploit. When tested by heise Security, this evaded Data Execution Prevention under both Windows XP SP2 and Vista, and ran injected code. In his module, Moore used the techniques published by Alexander Sotirov and Mark Dowd in mid-year.
Microsoft further recommends that the Internet zone security setting be set to "High", and that access to the oledb32.dll library be prevented. This, it says, is the most reliable protection at present. The Microsoft Security Advisory gives full instructions for each operating system.
The Internet Storm Center meanwhile reports that the exploit appears to be foisted on harmless web sites by SQL injection. Since the exploit code has been known for some days, it is likely that such attacks will shortly multiply. Administrators should keep an eye on their servers in the next few weeks and check their logs for this kind of suspicious activity.
Danish security company Secunia say in their blog, that this is not a problem with XML as at first thought, but with data binding.
- Two new zero-day exploits dent Microsoft's Patch Tuesday, heise Security report.
- Internet Explorer Data Binding 0-Day Clarifications Secunia blog entry.