Microsoft closes zero day hole in Internet Explorer
As previously announced, Microsoft has released the unscheduled security update to close the zero day vulnerability. The patch is to close the hole in all versions of Internet Explorer between 5.01 and 7 and is available for all current Windows versions. IE version 8 Beta 2 is also affected, and an update has been released for this version.
Users are advised to install the update for all versions immediately. IE users who have disabled Automatic Updates should re-enable this feature or manually download the patches. The necessary links are listed in the MS08-078 security bulletin.
The patch is said to at least protect users from the exploits that are currently in circulation on various web pages. In a short test by heise Security, several common exploits no longer worked after the patches were installed. Although the majority of compromised websites are porn pages, the exploits have also affected respectable pages. The web page of mainboard vendor Abit, for example, was reportedly infected via SQL injection.
The hole in Internet Explorer is caused by a data binding flaw which potentially causes an object to be discarded without updating the respective array length. This allows attackers to access the memory area occupied by the deleted object, which can be exploited to inject and execute malicious code. Unlike previously assumed, the problem can be exploited with techniques other than a flawed SPAN tag in XML document.
In October, Microsoft had to release an unscheduled patch for a critical hole in the server service. No patches have been made available for the known holes in Wordpad and Microsoft's SQL server 2000 and 2005, and it is believed that at least the Wordpad hole is already being exploited.
- Microsoft Security Bulletin MS08-078 - Critical Security Update for Internet Explorer (960714), Advisory from Microsoft
- Extra Patch for Internet Explorer, report from heise Security
- Zero day exploit for Internet Explorer is spreading, report from heise Security
- Two new zero-day exploits dent Microsoft's Patch Tuesday, report from heise Security