On December 9, 2008, a “weaponized” zero-day exploit for a previously undisclosed vulnerability in Microsoft Internet Explorer 7 was discovered in the wild being used by Chinese hackers to install malware on victims’ computers. The exploit was based on a proof-of-concept that was posted on a Chinese forum early in November of 2008, and coincidentally, launched on the same day as Microsoft’s last batch of security patches for the year. The vulnerability is caused by memory corruption that results from an invalid pointer reference when Internet Explorer handles Dynamic HTML (DHTML) data bindings. The exploit itself is written in JavaScript and is intended to execute only in Internet Explorer 7 browsers on Windows XP, Windows Server 2003, Windows Vista, and Windows 2008; however, the underlying vulnerability resides in all versions of Internet Explorer. As of this date, no exploit for them has been discovered.

To exploit this vulnerability, a malicious website would cause IE to create an array of data binding objects, release one of the objects and re-reference it later on. The result is that Internet Explorer neglects to check the new array length after the object is released and a loop will continue to reference the released object, resulting in a use after free condition. If the deleted object’s memory space is reallocated and filled with user supplied data, Internet Explorer could crash in a way that is exploitable and effectively allow for remote code execution with the privileges of the logged-in user. While most attacks that exploit this vulnerability are being used to propagate malware, one must realize that this vulnerability can be leveraged to execute arbitrary code.

There are inherent vulnerabilities that exist in all browsers, but Internet Explorer is the most widely used web browser around the world, making it a prime target for hackers. The time between the release of proof of concept code and the release of full-fledged exploits is getting smaller and smaller. Although Microsoft has been quick to release workarounds to mitigate vectors for exploitation, the seriousness of this flaw has prompted Microsoft to release an out-of-cycle security update, MS08-078.

In order to maintain a good security posture, minimize your risk by being aware of the vulnerabilities that may pose a threat, and be prepared to show due care when a threat comes knocking at your door. Considering that security and functionality can often be a tradeoff, there isn’t a single product or configuration that caters to everyone; the solution is to figure which tradeoffs are appropriate for you or your company. As such, until issues like this can be addressed with a security patch, users should apply the workarounds, and/or consider using an alternate browser in the meantime.