Internet Explorer Plagued By Zero-Day Exploit

Although this past week was the final Patch Tuesday for 2008, and Microsoft released 8 Security Bulletins, including a Critical cumulative update for Internet Explorer, Users of Internet Explorer are vulnerable to a zero-day exploit that is being used in the wild. Originally thought to be limited to Internet Explorer 7, Microsoft later updated their Security Advisory to state that Internet Explorer 5 with Service Pack 4, Internet Explorer 6 (with or without Service Pack 1), and even Internet Explorer 8 Beta 2 are potentially vulnerable as well.

According to a Network World article, "the problem is particularly severe since in some cases users merely [have] to view a Web site in order to have a Trojan horse program automatically downloaded to their machine. Once on a PC, the hacker can direct the program to download other bad software and perform actions such as sending spam and stealing data."

The Microsoft Security Advisory offers some advice for Internet Explorer users to minimize the risk, such as:

• Set Internet and Local Intranet Security Zones settings to High
• Enable DEP (Data Execution Prevention) for Internet Explorer 7 in Windows Vista or Windows Server 2008
• Disable Data Binding support in Internet Explorer 8
• Disable Active Scripting in Internet Explorer

You can find more guidance and workarounds in the Microsoft Security Advisory. For those who can though, the simplest solution is probably to simply use another browser- at least until Microsoft releases an update to fix the vulnerability and protect it from these attacks. Firefox, Chrome, Safari, and Opera are all browsers worth looking at as an alternative - either temporary or permanent - for Internet Explorer.