Microsoft Recommends Customers Install Immediately

MS08-078 Critical Security Alert:  Released 17th December 2008: Extract of Executive Summary

This security update resolves a publicly disclosed vulnerability. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7. For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection. 

Microsoft Security Advisory 961051, extract from the original security bulletin:

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.

This update to the advisory contains information about a new workaround and a recommendation on the most effective workarounds.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability." 
 

The following announcement has been made on the Microsoft Security Response Center Blog (MSRC) to notify customers of an out-of-band security release.

"We’ve just published our Advance Notification for an out-of-band security bulletin release. We plan to release the security update tomorrow, Dec. 17, 2008 to address the vulnerability we’ve discussed in Microsoft Security Advisory 961051. Our target time, as always, is 10:00 a.m. Pacific Time. We’ll be holding two special webcasts to give you details and take your questions.

·        December 17, 2008 1:00 PM Pacific Time

·        December 18,2008 11:00 AM Pacific Time

A reminder that this information is subject to change and that when we do release this security bulletin, we’ll let you know through the MSRC weblog."