IE7 zero-day hole exposed; experts urge alternatives
updated 03:45 pm EST, Tue December 16, 2008
IE7 Zero-Day Exploit
A new and previously undiscovered vulnerability in Internet Explorer 7 has triggered warnings to at least temporarily avoid the browser until it can be fixed. The exploit, which takes advantage of the browser's data binding feature to create a memory hole, is unique to Microsoft's code and potentially dangerous due to its usability over the web. A maliciously formed website can use the exploit to steal private data or otherwise compromise the system; some benign websites have been turned hostile using the exploit and other vulnerabilities, the company says.
Over 10,000 sites have already been launched or corrupted with the security gap in mind, according to Trend Micro senior security advisor Rick Ferguson, who is among the early group of experts suggesting that users run an alternative browser until a patch is ready.
"If users can find an alternative browser, then that's good mitigation against the threat," he says.
Notably, Apple Safari, Google Chrome, Mozilla Firefox, and Opera's self-titled browser all avoid the exploit, which also affects earlier versions of Internet Explorer but is limited to systems running Windows XP, Server 2003/2008 and Vista.
Microsoft itself tries to downplay the impact and suggests the damage is relatively limited. The company's UK Windows chief John Currant argues that the exploit only affects 0.2 percent of websites at present and that switching to a competitor's browser would be a hasty reaction given the rarity of the attack.
"I cannot recommend people switch due to this one flaw," he contends.
Regardless, the company has no estimates for when it will provide the necessary fix and instead suggests that Windows XP and Vista owners run Internet Explorer 7 in Protected Mode, which sandboxes it against these types of exploits. Both Windows Server variants also run by default in an enhanced security mode that should prevent the code from running arbitrarily.












Another one?
12/16, 05:10pm reply
Gee, yet another Explorer hole that MS is downplaying. Why don't they just throw this POS, that is Internet Exploder, away and admit they're just plain asses when it comes to writing anything that doesn't have thousands of bugs in it?
Guest
Fresh-Faced Recruit
Joined: Nov 1999
well
12/16, 05:45pm (1 reply) reply
If you're dumb enough to head off to nefarious and p*** web sites, you deserve to be infected/affected.
testudo
Fresh-Faced Recruit
Joined: Aug 2001
Really?
12/16, 06:10pm reply
Way to be a d***. This exploit can affect ANY website that has been hijacked. No one deserves to be infected with a virus just because they visited a website, regardless of their level internet savvy.
cyn1c
Fresh-Faced Recruit
Joined: Oct 2008
Total Piece of c***
12/16, 09:10pm reply
IE is a dog, pure and simple. it's always been vulnerable to exploits, and it always will be. no matter how many patches. this exploit is really dangerous. but the underlying code of the whole darn program is hopeless, because the legacy code of Windows/NT is hopeless, security wise. until MS writes a whole new kernel (and browser) from the ground up, it's going to be playing whack-a-virus-mole for the rest of eternity.
Alfiejr
Fresh-Faced Recruit
Joined: Aug 2008
Confused
12/17, 04:55am reply
You know, I don't understand how browsers that expose their users to significant risk retain such large market shares. I've been using Opera for a long time and I have yet to question my security while browsing.
ehoppe
Fresh-Faced Recruit
Joined: Jul 2008
Confused
12/17, 04:56am reply
You know, I don't understand how browsers that expose their users to significant risk retain such large market shares. I've been using Opera for a long time and I have yet to question my security while browsing.
ehoppe
Fresh-Faced Recruit
Joined: Jul 2008