Microsoft issued a security advisory with workarounds for dealing with hacker attacks targeting a zero-day flaw in Internet Explorer 7. Users await word as to when to expect a patch or an update to fix the IE 7 browser security issue.
Microsoft has issued an advisory to help users deal with a zero-day flaw affecting Internet Explorer.
In an update, Microsoft stated the flaw affects not only Internet Explorer (IE) 7 as originally thought, but also versions 5 and 6. However, as of Dec. 11, Microsoft had only seen attacks against IE 7. "The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," according to Microsoft. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."
The vulnerability itself is a memory corruption error in the handling of DHTML data bindings. The attacker does a "heap spray" and then an invalid pointer dereference in an array of data binding objects. They don't exactly give proof of concept code, but this is more than they usually say.
The workarounds fall into three classes, those that:
(A) block access to the vulnerable code in MSHTML.dll via OLEDB, protecting against current attacks
(B) apply the most secure configuration against this specific vulnerability.
(C) make it much harder to heap spray.
| Workaround | A | B | C |
| 1. Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones | X | X | |
| 2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone | X | X | |
| 3. Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL | X | ||
| 4. Disable Row Position functionality of OLEDB32.dll | X | ||
| 5. Unregister OLEDB32.DLL | X | ||
| 6. Use ACL to disable OLEDB32.DLL | X | ||
| 7. Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008 | X | ||
| 8. Disable Data Binding support in Internet Explorer 8 | X | X |
The (A) workarounds, are more desirable because they disable the least functionality, and some of them are very targeted. The (B) workarounds, if you ask me, may be necessary but are undesirable. Breaking scripting breaks a lot of software and prompting for it is of dubious value because users won't know which prompts to say yes to. The only (C) entry that's really interesting is to enable DEP and you should do that irrespective of this issue. Microsoft recommends one from column (A) and, to be really comprehensive, one from column (B). I guess they have to say this.
More here.
IE Zero day Vulnerability. Work arounds available.
