RSSMicrosoft to issue out-of-cycle patch for the 'unknown exploit'
By Scott M. Fulton, III | Published December 16, 2008, 5:06 PM
We're not even really sure if the reports of new exploits affecting Internet Explorer browsers are actually valid, but in case they are, Microsoft will issue a patch that addresses the problem those exploits may be targeting.
It's the kind of development that could give "zero-day" a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero. Still, the subject matter is of some concern: the apparent ability of an ActiveX control -- for the dozens upon dozens of sites that still use them -- to leave code in memory after cleanup that's still capable of being executed without privilege.
Rather than take a chance on all these reports being false, Microsoft is taking the step of patching the Web browser anyway, categorizing the issue as Critical. Tomorrow morning at 10:00 am Pacific Time, 1:00 pm Eastern Time, Microsoft will issue an out-of-cycle patch that addresses the likelihood of the problem. The patch will apply to all versions of Internet Explorer ranging back to IE5.01 Service Pack 4, all the way to IE8 Beta 2; for all versions of the operating system dating back to Windows 2000 SP4.
The good news out of all of this is that the possibility of an exploit has apparently made Microsoft aware of a legitimate problem, or at least something that could become problematic.
A blog post from Microsoft's security vulnerability team today describes the problem in the greatest level of detail we've seen thus far: "Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data ('heap spray') before the invalid pointer dereference."
The blog post goes on to suggest much more granular methods of working around the problem (at least until tomorrow). Several of them involve disabling the OLEDB (pronounced "olay-dee-bee") data provider, which at the turn of the decade was the company's method of choice for exposing database functionality through the Component Object Model -- essentially, OLEDB was the successor to ODBC but the predecessor to ADO.NET. Disabling this data provider apparently prevents the malicious code from being able to prepare heap memory in the manner alluded to.
Last week, Secunia was among the security companies backtracking on their own third-party commentaries, after certain alleged details of the alleged exploits turned out to be inaccurate.
A German press report this morning took multiple vendors' security products -- including Kaspersky, Trend Micro, and CA -- to task for not being able to identify the massive IE security hole that European television, including the BBC, is how harping on as the latest threat to society. This despite the fact that its very existence is not confirmed.
patch issued. =]
Score: 0
Opera also appears to be having problems, and has been required to fix seven security bugs in its browser this day, phew. Oh no ! now Foxy tells me I need to fix a problem with their browser too, and all those plonkers asking why folk still use IE, well it would appear its one security fix was small beer compared to the other browsers out there.
Score: 0
Microsoft requests that until the patch is released and installed-- to please refrain from booting up Windows:
if computer access is an absolute necessity in the meantime, please utilize Linux.
Score: 0
I was wondering what the hell was going on this morning. Finding the top story on the BBC website was, shock horror, a security flaw in IE.
I presume there was **** all else in the way of news.
Score: 0
1 billion or more people potentially impacted. I wonder if it's worthwhile reporting on?
Score: 0
And on what Patch Tuesday is that not the case?
Score: 0
What does that have to do with news that impacts at least 1 billion people, interrupting their computer for at least 1-5 minutes (reboot required for every IE patch, since IE was born.)
It is news because you and I are talking about it. It is news because if you work on a computer, in almost all cases it impacts you.
Score: 0
I know that. I'm just saying it's really not worth top story on the BBC website.
Score: 0
Patch Wednesday for a stupid browser means reboot Thursday! There goes my famed "TCO" being lower!
Score: 0