After the recent out-of-band release of patch MS08-67 by Microsoft, the software giant has again released it MS08-78 out-of-band patch.
The patch is tagged as critical and affects Internet Explorer from 5.1 to 7 version. There are a few mitigating factors but I strongly feel that atleast desktop users or systems which is used to surf internet should apply the released patch. Work-around either wouldn’t work in few cases or attackers would come up with a way to bypass this work-around.
A remote code execution vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-4844.
So Information Security team has a new task to add in this week’s to-do list.