Earlier this week, Microsoft issued a security advisory that affects IE 5, 6, 7, and its latest beta version IE 8. The vulnerability exploits the data binding function in IE. When an object is released without updating the array length, it is possible to access the object's memory space. This could cause IE to exit unexpectedly in a state that is exploitable. To date, Microsoft has only received reports about exploits to IE 7.0 but acknowledges that 5, 6 and 8 are vulnerable as well. At this point in the investigation, Microsoft is not sure if it will release a service pack, an out of band patch, or wait until its January 2009 patch release.
Microsoft has tested multiple workarounds to the vulnerability. Workarounds do not fix the underlying problem; they only provide a temporary fix. Microsoft has determined that the attack is not successful against customers that have applied the workarounds. In addition, mitigating factors make the attack more difficult to exploit. According to Microsoft, these mitigating factors include:
Currently, known attacks cannot exploit this issue automatically through e-mail.
As with all security advisories, Microsoft recommends keeping the operating system up to date with patches, contacting the local FBI office if you have been attacked, taking caution in accepting FTP file transfers, and using antivirus software. You can check to see if your Windows version is up to date by using Windows update.