Earlier this week, Microsoft issued a security advisory that affects IE 5, 6, 7, and its latest beta version IE 8. The vulnerability exploits the data binding function in IE. When an object is released without updating the array length, it is possible to access the object's memory space. This could cause IE to exit unexpectedly in a state that is exploitable. To date, Microsoft has only received reports about exploits to IE 7.0 but acknowledges that 5, 6 and 8 are vulnerable as well. At this point in the investigation, Microsoft is not sure if it will release a service pack, an out of band patch, or wait until its January 2009 patch release.
Microsoft has tested multiple workarounds to the vulnerability. Workarounds do not fix the underlying problem; they only provide a temporary fix. Microsoft has determined that the attack is not successful against customers that have applied the workarounds. In addition, mitigating factors make the attack more difficult to exploit. According to Microsoft, these mitigating factors include:
- Protected mode in IE 7 and IE beta 2 in Windows Vista limits the impact of the vulnerability.
- By default, IE on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to high. This is a mitigating factor for Web sites that you have not added to the IE trusted sites zone.
- An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Currently, known attacks cannot exploit this issue automatically through e-mail.
As with all security advisories, Microsoft recommends keeping the operating system up to date with patches, contacting the local FBI office if you have been attacked, taking caution in accepting FTP file transfers, and using antivirus software. You can check to see if your Windows version is up to date by using Windows update.