Microsoft strongly recommends our customers prepare their systems and networks to apply a security update immediately to help ensure that their computers are protected from attempted criminal attacks. For more information and the updates please visit http://www.microsoft.com/protect.
For additional Support assistance, please contact Microsoft Product Support Services at 1-866-PCSAFETY.
Microsoft encourages customers to test and deploy this update as soon as possible. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the security update. At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7.
Public Bulletin Webcast
Microsoft will host two Webcasts to address customer questions on this Out-of-Band bulletin:
Title: Information About Microsoft December Out-of-Band Security Bulletin Date: Wednesday, December 17, 2008 9:00 P.M. Pacific Time (U.S. & Canada)URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399448&Culture=en-US Title: Information About Microsoft December Out-of-Band Security Bulletin #2Date: Thursday, December 18, 2008 11:00 A.M. Pacific Time (U.S. & Canada)URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032399449&Culture=en-US
Frequently Asked Questions:
What is the scope of the vulnerability? This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
What causes the vulnerability? The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable. As a result, memory may be corrupted in such a way that an attacker could execute arbitrary code in the context of the logged-on user.
What might an attacker use the vulnerability to do? An attacker who successfully exploited the remote code execution vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
How could an attacker exploit the vulnerability? An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site. The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
What systems are primarily at risk from the vulnerability? This vulnerability requires that a user is logged on and reading e-mail messages or is visiting Web sites for any malicious action to occur. Therefore, any systems where e-mail messages are read or where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read e-mail on servers. However, best practices strongly discourage allowing this.
I’m running an older version of IE/ Windows that is not listed in the bulletin. Am I vulnerable?
After support for a product has lapsed, we do not have specific information on the vulnerability of those products. Customers should view being on an unsupported product itself as an operational vulnerability and can take steps to protect themselves by taking out a Custom Support Agreement or upgrade to a supported version.
For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software releases, visit the Microsoft Product Support Services Web site.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Which of the workarounds should I apply to my system in order to be protected?Based on our investigation, setting the Internet zone security setting to High will protect users from known attacks. However, for the most effective protection, customers should evaluate a combination of using the High security setting in conjunction with one of the following workarounds.
· Disable XML Island functionality
· Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL
· Disable Row Position functionality of OLEDB32.dll
· Unregister OLEDB32.dll
· Use ACL to disable OLEDB32.dll
For additional workaround details, please see the following post: http://blogs.technet.com/swi/archive/2008/12/12/Clarification-on-the-various-workarounds-from-the-recent-IE-advisory.aspx#workarounds.
Each of these workarounds is equally effective in protecting customers; however, each workaround has different impacts based on the environment in which they are applied. We encourage customers to evaluate which of the workarounds would be least impactful to their environment, based on the impact statements included with each workaround.
How does configuring the Internet zone security setting to High protect me from this vulnerability?Setting the Internet zone security setting to High protects against all currently known exploits of this vulnerability by disabling scripting, disabling less secure features in Internet Explorer, and blocks known techniques used to bypass Data Execution Prevention (DEP). It is important to note that the vulnerable code may be reached even with these protections in place, however current attacks would not be successful with these workarounds in place. We will continue to monitor the threat environment and update this advisory if this situation changes.
How does Protected Mode in Internet Explorer 7 and Internet Explorer 8 Beta 2 on Windows Vista and later protect me from this vulnerability?Internet Explorer 7 and Internet Explorer 8 Beta 2 in Windows Vista run in Protected Mode by default in the Internet security zone. (Protected Mode is off by default in the Intranet zone.) Protected Mode significantly reduces the ability of an attacker to write, alter, or destroy data on the user’s machine or to install malicious code. This is accomplished by using the integrity mechanisms of Windows Vista which restrict access to processes, files, and registry keys with higher integrity levels.
What is Data Execution Prevention (DEP)?Data Execution Prevention (DEP) is included in Internet Explorer; disabled by default in Internet Explorer 7, and enabled by default in Internet Explorer 8 Beta 2. DEP is designed to help foil attacks by preventing code from running in memory that is marked non-executable. For more information about DEP in Internet Explorer, please see the following post: http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx. Recently, proof of concept code was published that demonstrates methods to bypass DEP. However, the workarounds included in this advisory, of setting the security slider to High as well as applying one of the OLEDB32.dll workarounds, are still effective in blocking current attacks.
What does the update do? The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.
When this security bulletin was issued, had this vulnerability been publicly disclosed? Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2008-4844.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? Yes. When the security bulletin was released, Microsoft had received information that this vulnerability was being exploited.
Does applying this security update help protect customers from the code, published publicly, that attempts to exploit this vulnerability?
Yes. This security update fixes the vulnerability in Internet Explorer, which is currently being attacked. This security protects customers from current and future attacks. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number <CVE 2008 >.
How did Microsoft become aware of these attacks?
Microsoft has a number of threat intelligence channels worldwide that we constantly monitor. We became aware of these attacks through these channels.
How would you characterize the severity of this vulnerability? How serious is this?
This security update is rated Critical for all supported editions of Internet Explorer.
Microsoft recommends that customers apply the update immediately.
Is the Windows Internet Explorer 8Beta 2 release affected by this vulnerability? Yes. This vulnerability was reported after the release of Windows Internet Explorer 8 Beta 2. Customers running Windows Internet Explorer 8 Beta 2 are encouraged to download and apply the update to their systems.
Security updates are available from Microsoft Update and Windows Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."
Is this a Cumulative Security update for Internet Explorer?
This is an Out of Band release to address a critical security vulnerability. Due to the nature of the release and the speed with which we have responded, this is a single fix addressing the vulnerability. Internet Explorer will return to their normal shipping schedule in February.
How did Microsoft's Software Development Lifecycle process not catch this vulnerability?
Microsoft’s SDL process was created to facilitate a defense-in-depth approach to security intended to reduce the number of vulnerabilities in software. It is impossible to completely prevent all vulnerabilities during software development and software vulnerabilities will continue to exist. As such, our defense-in-depth approach assures protections are in place when vulnerabilities do surface.
Software development is an evolving process - each time a vulnerability is identified, steps are taken to understand what happened in the software development process and those learnings are then incorporated into the next version of the SDL.
Will a webcast be available for customers?
Microsoft is hosting two webcasts to address customer questions on this bulletin on Dec. 17, 2008 at 1:00 PM PT (U.S. & Canada) and Dec. 18, 2008 at 1:00 PM PT (U.S. & Canada). Register now for the out-of-band security bulletin webcast by clicking on the respective links above. After this date, this webcasts are also available on-demand.