In an advisory updated on Thursday, Microsoft confirmed that IE 5.01 with Service Pack 4, IE6 with and without Service Pack 1 and IE8 Beta 2 on all versions of the Windows operating system are potentially vulnerable.
Also vulnerable are users running IE7 on Windows XP Service Pack 2 and 3, Windows Server 2003 Service Pack 1 and 2, Windows Vista with and without Service Pack 1 and Windows Server 2008.
The company clarified what the problem is with the browser after conflicting reports from computer security companies.
“The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer,” according to the advisory. “When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.”
Microsoft said it has only seen limited attacks targeted the flaw in IE7. However, security analysts have said it appears an increasing number of Web sites are being built that can exploit the vulnerability.
The problem is particularly severe since in some cases users merely has to view a Web site in order to have a Trojan horse program automatically downloaded to their machine. Once on a PC, the hacker can direct the program to download other bad software and perform actions such as sending spam and stealing data.
Microsoft outlined in the advisory several ways that people can reduce the chance of falling victim, depending on what version of the browser and operating system they are using. However, the sure-fire solution now is to use another browser until Microsoft fixes it.
Microsoft regularly issues patches on the second Tuesday of the month, but has been known to release what’s called an out-of-band patch if the threat is deemed severe enough. Microsoft does not say whether it will do that and tends to simply release the fix.
The next planned patch day is Jan. 13, which means attackers will have at least a month to infect as many computers as possible if Microsoft plans to issue a patch for the flaw that day.
Information about the vulnerability first appeared in the China region. A Chinese security outfit, called knownsec, has said it heard rumors about code circulating in underground criminal markets earlier this year. It’s believed exploit code was sold at one point for as much as US$15,000.
Software vulnerabilities are highly valuable to cybercriminals, since the flaws can be used to steal credit card details and other financial data.
Over the past few years, Microsoft has touted its improving record on computer security but has still been burdened by new discoveries of bugs in older software.