Vista - Big Security Hole in All IE Versions

Microsoft: Big Security Hole in All IE Versions

On Wednesday, Security Fix warned readers about a newly-discovered security hole in Internet Explorer 7. I'm posting this again because Microsoft now says the flaw affects all supported versions of IE, and because security experts are warning that a large number of sites are being compromised in an effort to exploit this vulnerability and install malware on vulnerable systems.
The SANS Internet Storm Center reports that hackers are breaking into legitimate Web sites and uploading code that could install data-stealing software on the machine of a user who visits the site using Internet Explorer. SANS's chief technology officer Johannes Ullrich estimates that thousands of sites have been seeded with this exploit to date.
For example, Web security firm Websense reports that hackers have compromised the Chinese Web site for ABIT, the maker of motherboards that power many home computers. So far, the exploits appear to be only stealing online gaming credentials, but SANS and others warn that attackers will likely use this exploit more deftly in the coming days and weeks.
According to Microsoft's revised security advisory, this flaw is present in every version of IE in use today, from IE5 all the way through to IE8 Beta 2.
Microsoft's advisory includes a host of recommendations for mitigating the threat from this vulnerability. Some of the company's suggestions did not work when I tried them on my Windows Vista system, or did not work without some tweaking that was not mentioned in the advisory.
For instance, Microsoft recommends enabling a feature called "data execution prevention," by clicking "Tools," "Internet Options," then "Advanced," and then checking the box next to that option. However, when I tried to make the changes in IE7 on Vista, I found that option grayed out. To make that change, I had to close out of IE completely, then right click on the IE icon, select "Run as Administrator," and then alter the setting.
Microsoft also suggests shifting IE's Internet and local Intranet security settings to "high." No problems changing that per Microsoft's instructions, except that few sites will load properly in IE because changing that setting disables active scripting, a feature that many Web sites use.
In addition, Microsoft says users can mitigate the threat from this flaw by de-registering the vulnerable component, a system file called "oledb32.dll". To do this, users need to run the Windows command prompt as administrator, and type or cut-and-paste the following command:
Regsvr32.exe /u "Program Files\Common Files\System\Ole DB\oledb32.dll"
This generated an error message on my Windows Vista machine, complaining that the action could not be performed. The command worked fine on my Windows XP system.
I would advise Windows users to consider browsing the Web with anything other than Internet Explorer, at least until Microsoft issues a patch to fix this vulnerability. It is not my intention to over-hype the situation, but as we have seen time and again, attackers are usually very quick to take advantage of flaws in IE because the program is the default browser for close to 80 percent of the planet.
And don't count on your anti-virus program to save you from these types of attacks. A scan of the exploit being served up by several of the hacked sites produced atrocious results: VirusTotal.com reported that only four out of the 32 anti-virus programs it used to scan the malware detected it as malicious or suspicious.


Microsoft: Big Security Hole in All IE Versions - Security Fix


If you want to browse safely use the latest Firefox with the No-Script Add-On

Microsoft Security Advisory (961051)
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: December 10, 2008 | Updated: December 11, 2008

Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.

This update to the advisory contains information about which versions of Internet Explorer are vulnerable as well as new workarounds and a recommendation on the most effective workarounds.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7. Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory. Additionally, there are mitigations that increase the difficulty of exploiting this vulnerability.

This advisory discusses the following software.
Related Software

Windows 2000 Service Pack 4

Windows XP Service Pack 2

Windows XP Service Pack 3

Windows XP Professional x64 Edition

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista

Windows Vista Service Pack 1

Windows Vista x64 Edition

Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems

Microsoft Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 6 Service Pack 1 for Microsoft Windows 2000 Service Pack 4

Microsoft Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, Windows XP Professional x64 Edition, and Windows XP Professional x64 Edition Service Pack 2

Microsoft Internet Explorer 6 for Windows Server 2003 Service Pack 1 and Service Pack 2, Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 7 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 7 in Windows Vista and Windows Vista Service Pack 1, and Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Internet Explorer 7 in Windows Server 2008 for 32-bit Systems

Windows Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems

Windows Internet Explorer 7 in Windows Server 2008 for x64-based Systems

Windows Internet Explorer 8 Beta 2 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Internet Explorer 8 Beta 2 for Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Internet Explorer 8 Beta 2 in Windows Vista and Windows Vista Service Pack 1, and Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Internet Explorer 8 Beta 2 in Windows Server 2008 for 32-bit Systems

Windows Internet Explorer 8 Beta 2 in Windows Server 2008 for Itanium-based Systems

Windows Internet Explorer 8 Beta 2 in Windows Server 2008 for x64-based Systems

Here are the three Security Advisories published so far from the MRSC Team;

The Microsoft Security Response Center (MSRC) : Microsoft Security Advisory 961051

The Microsoft Security Response Center (MSRC) : Microsoft Security Advisory 961051 Updated

The Microsoft Security Response Center (MSRC) : Friday update for Microsoft Security Advisory 961051

Norm's first posting here is a good summary of the critical nature of this vulnerability and gives clearer workaround instructions.......if you want to stick with IE as a Browser.

Me? I've just gone to Firefox 3 for Windows [Language UK Version], plus the Add-on 'No-Script'