MS confirms that all versions of IE have critical new bug

It adds IE6 and IE8 Beta 2 to the list, recommends disabling .dll to stay safe

The unpatched bug in Internet Explorer 7 (IE7) that hackers are now exploiting also exists in older versions of the browser, including the still-widely-used IE6, Microsoft said late Thursday.

Friday, a Danish security researcher added that Microsoft's original countermeasure advice was insufficient, and recommended users take one of the new steps the company spelled out.

In a revised security advisory, Microsoft said research confirmed that the bug is within all its browsers, including those it currently supports -- IE5.01, IE6 and IE7 -- as well as IE8 Beta 2, a preview version the company doesn't support through normal channels.

Users running any of those browsers on Windows 2000, XP, Vista, Server 2003 or Server 2008 are at risk, Microsoft said.

Even so, the company continued to downplay the severity of the threat. "At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said the advisory.

Microsoft also spelled out the root of the problem, saying that the bug is in IE's data binding functionality, and not, contrary to earlier reports by independent security researchers, in the HTML rendering code.

"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," said Microsoft. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

Microsoft also hinted that the "oledb32.dll" file contains the bug when it added recommendations that users disable or cripple the .dll's function as stop-gap measures. Oledb32.dll is a component of Microsoft Data Access, a collection of technologies for accessing different types of data in a uniform fashion. "OLEDB" stands for "Object Linking and Embedding, Database."

Danish security company Secunia claimed that its research, which it said has been passed along to Microsoft, identified the vulnerability's true nature. "After having published our initial advisory concerning this [zero]-day, one of my guys was therefore tasked with figuring out the exact nature of the problem," said Carsten Eiram, chief security specialist at Secunia, in a post to the company's blog early Friday. "It turned out that a lot of available information and assumptions were wrong."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags internet explorer 7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?