As the day draws to a close on December 16, 2008, Microsoft issued an advance out-of-band security advisory, #961051, and an emergency patch to follow the next day.
The vulnerability behind this advisory is a critical remote-code-execution vulnerability within Internet Explorer (IE). All currently supported versions of IE are affected. The vulnerability is related to an invalid pointer used in the data binding element within IE’s code base. This vulnerability allows remote execution of arbitrary code. If a vulnerable browser visits a malicious Web site, this Web site can instruct the browser to execute arbitrary code with the same privilege as the user itself.
Microsoft first became aware of this vulnerability when anonymous reports of the vulnerability surfaced on a Chinese Web site. On Tuesday, December 9th, Microsoft’s response center saw an increasing number of attacks utilizing this vulnerability. This prompted Microsoft’s taking the extraordinary action of issuing an out-of-band security advisory and an emergency patch for IE.
So far, the attacks Microsoft has seen are for IE 7 only. They reported that approximately 0.2% of Windows users may have been affected by these attacks. Microsoft has issued emergency patches for all supported versions of IE and all languages.
What should you do about it? As a consumer, if you have automatic Windows Update turned on, you should receive the patch automatically. If not, we recommend that you enable automatic updates from the control panel. As an organization, many already have automated procedures to install vendor patches. This is, however, a critical patch which must be attended to immediately.
What is Microsoft doing to avoid similar vulnerabilities in the future: Microsoft is saying that the particular nature of this vulnerability made it difficult to be detected by automated tools. As such, their SDL process failed to catch it. However, as we understand it, Microsoft’s SDL process goes beyond the use of automated tools. Why threat modeling, code reviews, and extensive testing did not catch this critical vulnerability is not an easy question to answer, and we are eagerly awaiting more information from Microsoft.