Microsoft to issue out-of-cycle patch for the 'unknown exploit'
We're not even really sure if the reports of new exploits affecting Internet Explorer browsers are actually valid, but in case they are, Microsoft will issue a patch that addresses the problem those exploits may be targeting.
It's the kind of development that could give "zero-day" a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero. Still, the subject matter is of some concern: the apparent ability of an ActiveX control -- for the dozens upon dozens of sites that still use them -- to leave code in memory after cleanup that's still capable of being executed without privilege.
Rather than take a chance on all these reports being false, Microsoft is taking the step of patching the Web browser anyway, categorizing the issue as Critical. Tomorrow morning at 10:00 am Pacific Time, 1:00 pm Eastern Time, Microsoft will issue an out-of-cycle patch that addresses the likelihood of the problem. The patch will apply to all versions of Internet Explorer ranging back to IE5.01 Service Pack 4, all the way to IE8 Beta 2; for all versions of the operating system dating back to Windows 2000 SP4.
The good news out of all of this is that the possibility of an exploit has apparently made Microsoft aware of a legitimate problem, or at least something that could become problematic.
A blog post from Microsoft's security vulnerability team today describes the problem in the greatest level of detail we've seen thus far: "Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data ('heap spray') before the invalid pointer dereference."
The blog post goes on to suggest much more granular methods of working around the problem (at least until tomorrow). Several of them involve disabling the OLEDB (pronounced "olay-dee-bee") data provider, which at the turn of the decade was the company's method of choice for exposing database functionality through the Component Object Model -- essentially, OLEDB was the successor to ODBC but the predecessor to ADO.NET. Disabling this data provider apparently prevents the malicious code from being able to prepare heap memory in the manner alluded to.
Last week, Secunia was among the security companies backtracking on their own third-party commentaries, after certain alleged details of the alleged exploits turned out to be inaccurate.
A German press report this morning took multiple vendors' security products -- including Kaspersky, Trend Micro, and CA -- to task for not being able to identify the massive IE security hole that European television, including the BBC, is how harping on as the latest threat to society. This despite the fact that its very existence is not confirmed.