Zero-day exploit hits Internet Explorer

One flaw not addressed in yesterday's Patch Tuesday is a heap overflow within the XML parser reported on Wednesday by Bojan Zdrnja of the SANS Internet Storm Center.

The exploit in the wild on Wednesday creates an XML tag, then waits 6 seconds in an attempt to thwart antivirus engines. The exploit could then crash the browser and run malicious code when the browser is restarted. The user must be running Windows XP or Windows Server 2003, and using Internet Explorer 7.

Zdrnja writes that "at this point in time, it does not appear to be wildly used, but as the code is publicly available, we can expect that this will happen very soon."

A Microsoft representative said the company is "investigating new public claims of a possible vulnerability in Internet Explorer. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves."

As for a workaround, Zdrnja suggests using a browser other than Internet Explorer. Microsoft says anyone who has been affected by this exploit can get help online or by calling the PC Safety hotline at 1-866-PCSAFETY.

[Penguinisto]

1) anyone who uses IE on Windows for more than Windows Update is simply begging for it. Not because MSFT built IE, but because IE is so deeply embedded in Windows. No frickin' web browser should be allowed to go that deep in any OS.

2) your best solution to this problem for now is right here: http://mozilla.com

3) in regards to #2, then again, Windows itself allows any flaw that affects an application a lot of avenues to travel deeper into the OS. Man... this is hopefully what MSFT should be fixing, not just patching the browser.

[DeclinedDoomed]

A better solution to the problem can be found here: http://www.opera.com/

or here: http://www.google.com/chrome

[EcuadorHomesOnline]

Mozilla crashes (A LOT) and has even worse security issues and huge memory leaks. IE works just fine. Never had a problem, never had a virus, good UI and compatible with all the web pages out there.

[Vegaman_Dan]

Penguinisto: Your comments also directly apply to the Apple iPhone in which every application runs natively at root with zero protection or security precautions.

Please be sure to include Apple in your tirade if you want to be open minded and honest about the issues.

[ittesi259]

@EcuadorHomesOnline,

Grats on never having issues....I know its possible not too.

But as for you mozilla claims....are you referring to Firefox or something else? Do you have anything to back up your bigger security holes statement? As for crashing....yeah I don't many people who complain about that one but I'll take your word for it even though mine never does.

[techman21]

Right on! The browser should not be part of the OS - Microsoft has had major security issues with IE since they integrated it with Windows (98) to avoid the Netscape lawsuit: "See, it's really part of the OS! You can't remove it or Windows breaks!"

[Penguinisto]

Dan: If/when the iPhone (a mobile app, which makes it vastly different) ever has any such flaw and exploit in activity, I will happily mention it. In the meanwhile, IE has yet another exploit happily rounding the Internet, and it in turn digs nice and deep into the OS... which IMPO is inexcusable.

@EcuadorHomesOnline: Good for you! I hope you continue to remain virus-free... I just hope you don't mind if I'm not so certain about your chances of achieving that goal continuously.As for your claims about Firefox, I'd love to see your evidence of this. Please, show it to me.

[Vegaman_Dan]

Penguinisto wrote:

"Dan: If/when the iPhone (a mobile app, which makes it vastly different) ever has any such flaw and exploit in activity, I will happily mention it. In the meanwhile, IE has yet another exploit happily rounding the Internet, and it in turn digs nice and deep into the OS... which IMPO is inexcusable."

Well, that is your opinion, and you have a right to have one. But then again your opinion is only worth as much as your credibility and respect by your peers. It doesn't really put you in a good position, but that's one you created for yourself.

So, there is a new vulnerability. Big freaking deal. It's easily dealt with. If you prefer to run around like Chicken Little, that is certainly up to you. Unfortunately it just makes you look like- well, Chicken Little.

[Vegaman_Dan]

Penguinisto wrote:

"Dan: If/when the iPhone (a mobile app, which makes it vastly different) ever has any such flaw and exploit in activity, I will happily mention it. In the meanwhile, IE has yet another exploit happily rounding the Internet, and it in turn digs nice and deep into the OS... which IMPO is inexcusable."

Well, that is your opinion, and you have a right to have one. But then again your opinion is only worth as much as your credibility and respect by your peers. It doesn't really put you in a good position, but that's one you created for yourself.

So, there is a new vulnerability. Big freaking deal. It's easily dealt with. If you prefer to run around like Chicken Little, that is certainly up to you. Unfortunately it just makes you look like- well, Chicken Little.

[Dalkorian]

Dan, get off the war path already. Do you have any idea how petty and immature this makes you look?

[Mr. Dee]

I use Internet Explorer 8 on Windows 7, so I am very safe.

[ddesy]

People using betas should not consider themselves safe. They are more likely to have holes.

[Dalkorian]

LOL - good one Mr. Dee. Thanks for the laugh.

[tm_anon]

Currently using Flock, no memory leaks I've seen, no crashes. On the other hand, I've read about serious privacy issues regarding Chrome. That leaves Opera. If I already have a browser that works well, doesn't crash, is very stable and does more than I've ever needed from a browser without giving me any concern for the safety of my browsing, why would I switch just because you say so?

[Vegaman_Dan]

There are plenty of Chicken Littles out there who claim the sky is falling. They mostly like to just hear the sound of their own voice.

[tm_anon]

Mr. Dee, you're only safe because that's a new browser on a new version of an old OS. Give it a month and you'll be getting updates like all the other Windows users.

[Ilgaz]

Sorry to say that if this attack is real, it can hit ANY mshtml.dll rendering application. Media players, instant messengers, anything.

Just not using IE (or not updating it because of that reason) is not a fix. You should always keep systems default browser updated (including Safari on OS X).

[ittesi259]

Thank you for laying down sound advice, that updates happen, problems arise, but by keeping patches updates and following sound guidelines things will be fine for the most part.

[Penguinisto]

So do tell us - why is mshtml.dll such a vital part of Windows that it has to reside in the core of the OS?

[ajhoughton]

IE is rubbish; it still doesn't render pages properly (though IE7 is a significant improvement, it still isn't right), and it still has lots of Microsoft specific cruft in it. IE should just be allowed to die. If MS let that happen, they'd be doing a service to the Internet community.

[Vegaman_Dan]

Much in the way as you would be doing the internet community a service by logging off?

[Dalkorian]

Actually Dan, he's 100% correct. IE (internet exploder for those in the know) is the plague of the internet and needs to be taken behind the woodshed and shot repeatedly until it stops moving, then buried in 8 feet of peat moss, then completely encased in 42 feet of concrete and lead shielding to prevent it's evil from ever terrorizing mankind again. It's creator should suffer the same fate for the same reason.

People who don't know enough to hate internet exploder with a passion are pitiable, but sometimes they're able to learn from their mistakes.

Think of it this way, you are a burglar trying to get into my house. You found two worm holes, one takes you to my front porch (most applications, including 3rd party browsers in general) and the other one takes you into my living room (internet exploder). Get it yet?

The first thing I do to any winblows box I get my hands on is hide IE from it's user and install a browser of their choice, or Firefox if they don't have a choice (or STUPIDLY choose IE). To me that is a security measure, though only a small step. It's like locking the front door to your house, it won't stop every single determined burglar but it will stop the curious neighborhood children from wandering through the house at will.

[bruceslog]

Third paragraph.. "Zdrnja writes that "at this point in time, it does not appear to be wildly used, but as the code is publicly available, we can expect that this will happen very soon." "
Did you mean "widely" used ?

[willbw]

Your all forgetting windows is made to break thats why it uses a crummy registry with limited access. They create there own problems your ignorant if you use Ie anyway.