UPDATED: Patch looms for IE7 zero-day security flaw

Look out, Internet Explorer users. eWeek reports that Microsoft will release a patch for a zero-day IE vulnerability later today. Apparently, the vulnerability has to do with IE’s data binding function, and malicious hackers have already managed to exploit it. Here’s the skinny in Microsoft’s words:

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

eWeek quotes Microsoft’s Christopher Budd as saying, “At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7.” That sounds like one of the few occurrences when running IE6 might actually be a good thing, although you’re probably still better off running a non-Microsoft browser like Firefox, Safari, Chrome, or Opera.

Until the fix comes out, Microsoft cautions to watch out for instant-message file transfers and e-mail attachments. Since exploiting the hole can give a hacker the same rights as the user, not running with administrative privileges (as in Vista with UAC enabled) might help, too.

Update: The patch is now out. You can download it from this page on Microsoft’s website.

Comments closed
    • brucect
    • 11 years ago

    Time to stick Ubuntu and firefox.
    Biggest MIstake MS. Bring IE main component of Windows OS.
    What a Pitty several years ago they havent patched some of the main exploits months and nobody care . Business as usual they made tons of money. Why is rush now ?

    • indeego
    • 11 years ago

    TR just crashed for meg{<.<}g

      • tfp
      • 11 years ago

      Must be running on XP

    • MarioJP
    • 11 years ago

    Funny how most say that Macs or Linux is the most secure platform when in fact it has not been exercised???. At least Redmond are working on a patch to fix it.

    With that said open source is a good alternative but don’t expect to work out of the box like windows or macs.

    To be fair on the comparison of how things works around here. Reason why hackers or spammers whatever you call them are not interested in these platform is because the fact that why go after a small portion if you can get a much bigger target.

    Also the reason why apples are soo dam expensive is 1. their proprietary hardware that for some reason you CAN’T run osx nothing but a apple.

    2.at that price it better be secure thats whats keeping apple going.

    Now the reason why windows gets bombarded like there is no tomorrow because windows is universal platform. You can always upgrade at any given time especially for GAMING, and also a bigger target.

    I find it funny how people have to use bootcamp to run WINDOWS on a mac just to play games LOL!!. In fact i won’t even comment on that.

    So much of “hi i am a Mac/ I am a PC comercials” right guys.

    And lastly PC’s are way cheaper and get more out of your buck than those ridiculously hold my hand steve job and i pay anything for a mac will ever provide lol.

    Only catch there is you gotta know what you doing and only someone that does not know about computers that much will fall into these obvious traps.

    JP

      • sativa
      • 11 years ago

      l[http://www.osx86project.org/<]§

      • stmok
      • 11 years ago

      l[

    • bcronce
    • 11 years ago

    Chrome runs all tab in as their own process which are ran with limited permissions. Even if there was an exploit, it would only mess up the process and gain privileges lower than required to do harm… in theory

    • adisor19
    • 11 years ago

    Hi guis, wat’s going on here ?

    Is that a windows exploit that has gotten Microsoft running scared ? Is that exploit already being used in the wild by hackers to pw0n your fully patched and up to date windows machine ?

    What, you can actually get your pc pw0ned by just visiting a website even though your windows is fully patched and up to date ?

    Tell me it isn’t so !!? Cause i remember a loooong thread not too long ago where a lot of users on this board were denying that such things happen in the windows world and bashed me as being a troll, a liar etc etc…

    Care to comment on this guys ? Any of you trolls out there(you know who you are) wanna say something ?

    Adi

    • Ricardo Dawkins
    • 11 years ago

    I dont use Safari crapola. Lets see how Chrome does.

    • Pachyuromys
    • 11 years ago

    q[

      • Flying Fox
      • 11 years ago

      q[

        • Pachyuromys
        • 11 years ago

        No. I’m about as security-conscious as a layperson can get.

          • Meadows
          • 11 years ago

          I doubt you got any kind of an infection, move on.

      • Sargent Duck
      • 11 years ago

      paranoia run deep?

        • Pachyuromys
        • 11 years ago

        Microsoft considers this so critical that they’re issuing an out-of-band update just 1 week after announcing it. For a behemoth like MS, that’s like a Woolly Mammoth sprinting a 100-yard dash. They move heaven and earth to get this out the door as soon as possible, but /[

          • Meadows
          • 11 years ago

          Yes you are. They’ve been known to address important things quick, just like everyone else. In fact, through the past year, their Windows Defender signature updates have become 2 to 3 times as frequent as well, something that used to draw the ire of online journalists.

            • Pachyuromys
            • 11 years ago

            It is exactly this type of militant complacency with which you try to pressure others by way of personal insults that not only has given you, personally, a bad name, but on a larger scale allows the untold numbers of botnetted zombie computers to comfortably exist. Go ahead, tell me that’s a myth and that such things don’t exist. Tell me IRC chatrooms with thousands of hackers trading millions of stolen identities at commodity prices don’t exist. Tell me they don’t harvest these identities primarily through computers compromised by the very type of exploit discussed here. It’s all a myth. All a conspiracy theory. Nothing to worry about.

            The blissfully ignorant world of the anti-vigilant.

            The real truth of the matter is that you’re just a troll, and you post incessantly just to see who responds. I’ve asked you before: Please leave me alone.

            • Meadows
            • 11 years ago

            Thank you for placing an exceptionally off-topic and needlessly long trolling response here.

      • SomeOtherGeek
      • 11 years ago

      All right, calm down everyone… Let’s be friends here.

      Someone is asking for help, so let’s help.

      Pachyuromys, if you wanna play things safe, maybe set your firewall to block out every coming traffic? If nothing can come in or go out then you are safe, right? Or if you have another computer around, just turn that infected computer off and use the other with some other browser and wait until MS comes out with a patch and then you should be good to go.

      Anyone else have any suggestions?

      • yogibbear
      • 11 years ago

      Yeah I’ve had IE crash with a “Internet Explorer must close” error, with the red cross stop symbol. Not the green flashy bar one that is just a program crash. Not doing anything dodge at the time either. I was browsing the Alan Wake website…

      For no reason.

      UAC on, 2 x firewalls (software + hardware), virus scanner, SS&D, etc.

      Scanning stuff now after update. Will report back.

        • yogibbear
        • 11 years ago

        Scanned everything. Zero hits in SS&D, AVG, or Avast.

        Damn Vista’s security is amazing. Haven’t done a Spyware scan in at least a month. Used to do them every week in XP.

      • barich
      • 11 years ago

      If you have UAC and therefore Protected Mode on, you’re not infected.

    • Pax-UX
    • 11 years ago

    I’m just happy I’ve been on the Firefox bandwagon now for years. If you run FF make sure you have No Script installed! That way you can enable which sites get to run Scripts and which don’t.

      • Shinare
      • 11 years ago

      NoScript only works on new websites. If a trusted website that you’ve already allowed to run scripts is compromised, well then… you still got a problem.

      Fortunatly for us, FF does not seem to be affected by THIS vulnerability. But that does not mean that FF is “invulnerable”.

      • StashTheVampede
      • 11 years ago

      It’s a great extension and it works very well if you don’t visit a lot of different sites, often.

Pin It on Pinterest

Share This