Posted on 18.12.2008 at 11:20 in Tech News by Martin
Microsoft issued an out-of-band emergency patch Wednesday for a zero-day Internet Explorer vulnerability that has opened the door for hackers to install malware on susceptible computers without any user intervention.The flaw, which is given the highest severity rating of critical, affects all versions of Microsoft’s IE Web browser. Specifically, Microsoft’s IE update affects versions of Windows 2000 for IE 5.01: XP, XP Professional, Server 2003 for IE 6; and XP, Server 2003, Vista, Server 2008 for IE 7. The vulnerability was reported after the release of Windows IE 8 Beta 2, but Microsoft still recommends in its MS08-078 advisory that users apply the patch.
The IE security problem is the result of a fundamental flaw in the browser’s data binding function, which ultimately leaves a hole in the memory space that can be accessed by remote hackers. Internet Explorer can then quit unexpectedly while in an exploitable state. Unlike other exploits, users have only to visit a malicious site infused with Trojans or other malware in order to become infected. Hackers can also entice victims to visit a specially crafted site, usually via some kind of phishing or social engineering scheme, or place infected banner ads on legitimate Web sites. Once users open an infected Web page, malicious downloaders are then installed on their computers, which are designed to record keystrokes and steal passwords, credit card numbers, or other financial information. The users’ computer could also become part of a botnet, an infected network of compromised computers, operated by a central command and control center.
Source: CRN