Internet Explorer Hit By Zero Day Exploit
December 29, 2008 by AntivirusWare.The massive patch issued by Microsoft recently, their December 2008 security bulletin, fixed a great many flaws, including six critical flaws, which affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. In addition to the critical flaws, there are many Microsoft categorizes as “important.” Many of these were fixed also.
However there was an important flaw that was not addressed by the security update. This was a heap overflow within the XML parser. A purveyor of malware can exploit this by creating an XML tag and waiting six seconds in hopes of thwarting antivirus software. The malware maker could then crash the browser and run malicious code upon restarting the browser. This exploit is a danger for users running Windows XP or Windows Server 2003, and using Internet Explorer 7.
Observers within the security community have noted that the exploit doesn’t appear to have been used all that often yet, but that the code is publicly available so the risk of it being exploited in the very near future is very great.
A Microsoft representative has stated that the company is investigating these claims, and will take the appropriate action to protect their customers as soon as they have completed their investigation. Addressing the problem could involve including a patch in the monthly update, an out of cycle update, and offering additional guidance to customers so they can protect themselves from malware intrusions.
For a short-term workaround, security experts suggest using a browser other than Internet Explorer.