Workarounds for the as-yet unpatched zero day IE hole

News continues to circulate on how an unpatched hole has set off a huge uptick in Internet Explorer 7 attacks.

Microsoft has created a list of workarounds while it works on a patch. News reports filed yesterday and today discuss a "new" flaw that has generated a huge number of attacks. These reports stem from an earlier report made by Microsoft that referenced the DHTML Data Bindings flaw, announced the day after Microsoft's enormous December Patch Tuesday. Microsoft said that it was noticing increasing victims of these attacks and pointed to its list of suggested workarounds. Below is a table published by Microsoft that lists Microsoft's latest advice on avoiding the DHTML Data Bindings hole.

Workaround A B C
1. Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones X X
2. Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone X X
3. Disable XML Island Functionality X
4. Restrict Internet Explorer from using OLEDB32.dll with an Integrity Level ACL X
5. Disable Row Position functionality of OLEDB32.dll X
6. Unregister OLEDB32.DLL X
7. Use ACL to disable OLEDB32.DLL X
8. Enable DEP for Internet Explorer 7 on Windows Vista and on Windows Server 2008 X
9. Disable Data Binding support in Internet Explorer 8 X X

Applying a workaround from the (A) column will protect against current attacks but to comprehensively protect against the vulnerability, we recommend that you also apply a workaround from the (B) column.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)