updated 03:45 pm EST, Tue December 16, 2008
IE7 Zero-Day Exploit
A new and previously undiscovered vulnerability in Internet Explorer 7 has triggered warnings to at least temporarily avoid the browser until it can be fixed. The exploit, which takes advantage of the browser's data binding feature to create a memory hole, is unique to Microsoft's code and potentially dangerous due to its usability over the web. A maliciously formed website can use the exploit to steal private data or otherwise compromise the system; some benign websites have been turned hostile using the exploit and other vulnerabilities, the company says.
Over 10,000 sites have already been launched or corrupted with the security gap in mind, according to Trend Micro senior security advisor Rick Ferguson, who is among the early group of experts suggesting that users run an alternative browser until a patch is ready.
"If users can find an alternative browser, then that's good mitigation against the threat," he says.
Notably, Apple Safari, Google Chrome, Mozilla Firefox, and Opera's self-titled browser all avoid the exploit, which also affects earlier versions of Internet Explorer but is limited to systems running Windows XP, Server 2003/2008 and Vista.
Microsoft itself tries to downplay the impact and suggests the damage is relatively limited. The company's UK Windows chief John Currant argues that the exploit only affects 0.2 percent of websites at present and that switching to a competitor's browser would be a hasty reaction given the rarity of the attack.
"I cannot recommend people switch due to this one flaw," he contends.
Regardless, the company has no estimates for when it will provide the necessary fix and instead suggests that Windows XP and Vista owners run Internet Explorer 7 in Protected Mode, which sandboxes it against these types of exploits. Both Windows Server variants also run by default in an enhanced security mode that should prevent the code from running arbitrarily.