What we suddenly don't know about the new IE exploit
One of the only sources of hard information yesterday about an IE remote code exploit that Microsoft only knew about circumstantially, now says not only is the Web full of misinformation about it, but it blames itself.
Just how many online news sources have to repeat a piece of information before it becomes, by default, true? That's the question faced by literally everyone, including BetaNews, who reported on Microsoft's revelation earlier in the week of what was believed to be the existence of new attacks affecting its Web browsers.
Based on what we thought we knew yesterday, there was evidence of a very old-style remote code execution attack through ActiveX controls, where multiple instances of a control on a Web page, once cleared, failed to clean up after themselves in memory, leaving code that could potentially be executed without privilege. That attack was said to impact Internet Explorer 7 specifically.
"After having published our initial advisory concerning this 0-day, one of my guys was therefore tasked with figuring out the exact nature of the problem," wrote Secunia Chief Security Specialist Carsten Eiram this morning, in a blog post that speaks volumes about the logistics involved when an independent security firm tracks down a problem.
"It turned out that a lot of available information and assumptions were wrong," Eiram continued. "Assumptions usually are, which is also why my department treasures the saying: 'Assumption is the mother of all f**k-ups' (and people claim nothing good ever came out of a Steven Seagal movie)."
Eiram then credited himself with notifying Microsoft, which he says triggered a response by that company of extending the scope of its warning to include all versions of IE. XML is not involved in the data binding process for controls, contrary to Secunia's earlier reports (we actually knew that ourselves, which is why we omitted that reference from our story yesterday); and while setting the security level to High, as Microsoft suggested, reduces the likelihood of an attack through scripting, Secunia is now saying it doesn't eliminate the possibility.
That last revelation suggests that no one actually knows whether a script is involved in this reported attack at all, which now raises suspicion about whether even the initial reports of the exploit's very existence are accurate. Specifically, is what's Microsoft's seeing actually new?
But if an exploit had not existed before, it actually may soon, now that Microsoft has taken the out-of-cycle step -- actually against its revised policy for explicitness -- of explaining exactly what the vulnerable spot in IE might be, in its revised advisory published last night.
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," reads the new advisory. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."
But Microsoft has only seen evidence, the advisory goes on, of attacks on IE7, not any other version. Still, as a precautionary measure, it's now expanded the scope of the advisory to include IE5, IE6 and IE6 SP1, and also IE8 Beta 2.