Microsoft has updated the security bulletin the released for a new and serious Internet Explorer vulnerability. Initially it appeared that the vulnerability was only in Internet Explorer 7, but after further analysis it seems as if all currently-supported versions of IE are affected, including the betas of IE8.

The confusion may have come from the fact that the current attacks which brought the episode to light are IE7 specific. But further research shows that the underlying vulnerability is not.

Microsoft also added a number of new workarounds to the advisory. This list includes the old ones and the new ones:

• Set Internet and Local intranet security zone settings to “High”
• Disable Active Scripting or set IE to prompt for it
• Enable DEP (only hardware DEP will help)
• Use ACL to disable OLEDB32.DLL
• Unregister OLEDB32.DLL
• Disable Data Binding support in Internet Explorer 8

See the advisory for details on these workarounds. Does anyone else think that the bug is in OLEDB32.DLL?

On a separate note, a report from the Internet Storm Center shows that the attack is being spread to web sites through SQL injection attacks that have been popular among the malware set for some time.

-NKJ

NitiN Kumar Jain

Nitin works in an IT MNC professionally but blogs and owns NKJ Live. He is also the co-owner of a professional start-up ARGHAM BYTES

Website - Twitter - Facebook - More Posts