Microsoft to issue out-of-band patch for Internet Explorer

This article is in regard to Microsoft Security Advisory 961051: Vulnerability in Internet Explorer Could Allow Remote Code Execution, which was published on December 10, 2008 and last updated on December 15, 2008.

In the above Security Advisory Microsoft revealed that a critical vulnerability was reported in all versions of Internet Explorer, from versions 5 through 8 beta. There are already exploits in the wild compromising computers around the World, but it seems to have begun in China. In fact, these exploits began occurring the same day the last Windows Updates were pushed out, making this a zero-day exploit. The exploit code is being hosted mostly on exploited Windows IIS web servers and is installed by exploiting SQL Injection vulnerabilities that have not been patched by system administrators. From what I've been reading there are a lot of Windows-based servers that are not keeping up with critical patches!

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

Users who operate from less privileged accounts will be less impacted than those operating as computer administrators. Also, using "Protected Mode" in Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista limits the impact of the vulnerability.

Microsoft and other security sources have recommended several temporary workarounds to mitigate this vulnerability, including disabling automatic processing of ActiveX Controls in the Internet and Intranet zones. If you have ever changed the settings for ActiveX to "Prompt" you know that the browser will literally drive you nuts with pop-ups asking for permission to run an ActiveX Control. In these cases it is best to just disable ActiveX completely and wait for a patch to be released, then re-enable it. In any case, if you have applied any of the temporary workarounds listed in kb961051, you should undo them after applying the upcoming patch.

In response to the urgency of this vulnerability, Microsoft is releasing an "out-of-band" patch on December 17, 2008. This is the second unscheduled patch released this calendar year and both are in regards to zero-day exploits in the wild. If your computer is set to download and install Windows Updates automatically this will happen sometime on December 17. If you perform your Windows Updates manually, begin checking for "Express"updates during the afternoon (USA) of December 17, 2008. The official release time for the USA and Canada is 1 PM Eastern Standard Time, which is 6:00 PM or 18:00 Hours GMT.

This patch may require you to restart your computer, but definitely Internet Explorer.

Computers that are protected with Trend Micro Internet Security or Security Pro 2009 are already protected against this "web threat." This is because those products include constantly updated protection from hostile codes in compromised (or purposely hostile) web pages.