E7, IE8 affected by zero-day attack, no patch available

An unpatched vulnerability found in Internet Explorer 7 also affects both older and newer versions of the browser, Microsoft warned Thursday, and Microsoft doesn't have a patch ready yet. In an advisory updated on Thursday, Microsoft confirmed that IE 5.01 with Service Pack 4, IE6 with and without Service Pack 1 and IE8 Beta 2 on all versions of the Windows operating system are potentially vulnerable to a flaw involving data binding, which is enabled in IE by default. Microsoft said it has of yet only seen attacks executed on IE7. In addition, users running Windows XP Service Pack 2 and 3, Windows Server 2003 Service Pack 1 and 2, Windows Vista with and without Service Pack 1 and Windows Server 2008 are also at risk.

Microsoft explained the flaw as a vulnerability that "exists as an invalid pointer reference in the data binding function of Internet Explorer," according to the advisory. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Users need only visit an evil Web site in order for attackers to take advantage of the flaw. Although the Microsoft advisory suggested several methods to limit the chances of becoming victim, until it comes up with a patch, IE users are not safe.

Could this be motive to drive corporations into a mass exodus from IE altogether in favor of some of the many browser options out there ... like Firefox or Chrome?

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Also see:

Glenn Weadock: Windows Search optionsWindows 7 CrackedSeek and you will find … Windows 7 Federated Search with SharePoint8 little-known technologies that instantly make Microsoft shops run smoother17 job-hunting resources for Windows pros Subscribe to all Microsoft Subnet bloggers.bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Sign up for the

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)