The fix was released last night into the Windows/Microsoft Update Sites, please make sure you either visit these sites or if on automatic updating, make sure it has installed.
Not one normally to make a panic about a security hole in Internet Explorer (as there are quite a few at any one time). There is currently a particularly nasty one kicking about. It came to light last week during a round of updates issues by Microsoft. I thought it best to let people know about it, to make sure they don’t fall foul of the exploit.
The technical info is:
Microsoft Internet Explorer contains an invalid pointer vulnerability in its data binding code. The vulnerability can be triggered when Internet Explorer or a program that uses Internet Explorer’s components renders a document that contains more than one reference to the same data source. This flaw can cause an invalid array size and result in the accessing of memory space of a deleted object. Specially-crafted content that performs data binding, such as an XML or HTML document, can cause IE to crash in a way that is exploitable. Limited testing has shown this vulnerability to affect Internet Explorer 6 and later, up to and including Internet Explorer 8 Beta 2. However, all versions of Internet Explorer from 4.0 and on may be at risk. We have confirmed that Outlook Express is also at risk. Exploit code for this vulnerability is publicly available.
What to Do until a fix is available:
1. Common sense, do not allow your users to visit Warez (Piracy/BitTorrent) or Smut Sites, these are potentially hijacked with the exploit code. Some Taiwanese sites have also been hijacked. Just be mindful of the sites your users are visiting and always check that any security certificates are valid. Also be wary of social networking sites such as Facebook and MySpace, these kind of exploits spread very quickly through these kind of sites. I am not saying that these sites are hijacked with the particular code, but they are potential targets for hackers.
2. Use an alternative browsers such as Google Chrome (http://www.google.co.uk/chrome ) or Mozilla Firefox (http://www.mozilla-europe.org/en/firefox/ ) for the time being. Both of these browsers are very good, but they do not have the ActiveX functionality or tight windows integration of Internet Explorer which may be important to you.
3. There are some technical changes which can mitigate the risk of falling foul of the exploit. If you are confident to do these, have a look here http://www.kb.cert.org/vuls/id/493881 . These are not fixes, they merely reduce the potential, but they do also limit some functionality which may be important to you.
4. Make sure your systems are automatically updating, most networks we deal with will have this already configured. If there are updates waiting to be installed on your systems, please do them. You can tell this by the Yellow Shield in the bottom right on Windows XP and the Windows Update Icon on Windows Vista which will show the status of updates available (if there are none available, it will probably not be there). To check automatic updating, go to control panel, then to windows update.
I hope this helps explain what’s going on and what you can do to prevent your users being exploited by this vulnerability. Hopefully we’ll see a fix issued soon. If you have any questions, please contact Leaf Technology.
Tags: chrome, exploit, firefox, fix, internet explorer, Microsoft, outlook express, patch, security, windows, windows vista, Windows XP
