If you're still using Microsoft's Internet Explorer are your primary web browser, now might be a good time to change: crackers are exploiting a pretty serious unpatched vulnerability in the wild.
According to an article on Wired
, around 10,000 malicious websites – mostly hosted in China – are actively using a so-far unpatched vulnerability in the Internet Explorer web browser shipped as standard with all versions of Windows to steal usernames and passwords for online banking and MMO games.
The vulnerability – covered in Microsoft Security Advisory 961051
– affects all currently available versions of IE on all versions of Windows, including the latest IE8 Beta on Windows Vista. Interestingly, the flaw even stretches back as far as Internet Explorer 5.01 – meaning that while crackers may only be discovering the hole now, the issue has been around for a considerable time.
The security hole is described by Microsoft as “an invalid pointer reference in the data binding function of Internet Explorer [, which means when] data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable [remotely].
While the Protected Mode offered by IE7 and IE8 on Vista and the similar Enhanced Security Configuration setting on IE7 on Windows Server 2003 and 2008 can reduce the impact of the flaw, they do not
offer complete protection. Currently, the only known way to be absolutely safe from this attack is to use an alternative browser.
So far, Microsoft has not issued any statement about a patch for the issue – but with such a severe bug, it wouldn't be unexpected for the company to release an emergency patch out of its normal monthly 'Patch Tuesday' release cycle. So far, however, no fix is expected.
Microsoft has broken with its normal patch schedule and released an emergency fix, which has been pushed out via Windows Update today. If you don't have Windows (or Microsoft) Update enabled to check for downloads automatically, you can grab the fix via the MS08-078
Any IE stalwarts finally tempted over to the dark side of alternative web browsers, or is this latest security hole simply a storm in a teacup? Share your thoughts over in the forums