Browser bonanza: all five major browsers updated or patched

Stephen Withers
Thursday, 18 December 2008 03:03

IT Industry - Development

Microsoft has just issued an "out-of-band security bulletin" (ie, it wasn't released on a Patch Tuesday, which shows how serious it is) for Internet Explorer versions 5, 6, 7 and 8 beta on Windows 2000, XP, Server 2003, Vista and Server 2008.

According to the bulletin, "A remote code execution vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."

The vulnerability can be exploited via a maliciously crafted web page. Microsoft warns that exploit code is publicly available and being actively used in attacks.

One saving grace is that IE 7 and 8's protected mode under Vista and Server 2008 makes exploitation more difficult, but that's no consolation for those on older operating systems.

"Fortunately, the impact on Microsoft’s Australian customers has so far been minimal and Microsoft is not advising Internet Explorer users to switch browsers," said a Microsoft spokesperson.

Well they wouldn't, would they?

But the basic message is that if you're using any of the popular browsers, there may be an update waiting for you - so get to it!