Another day, another Microsoft security alert..
This morning, another raft of advisories arrived in my mail from Secunia, this is one;
Internet Explorer Data Binding Memory Corruption Vulnerability
This rivetting title is like deja-vu. Time and again we’ve seen this. This is the fault of a company, Microsoft, that puts form before function, functionality before security.
Yet again, the core problem stems from years back when Microsoft had the bright idea to get everything linked together, like the internet is now, but different. The key is the method of linking.
When you connect to a web page, like this one, you connect, when you decide you want to.
Microsoft, unfortunately, have everything set up as they originally envisaged it, that is, everything is permanently connected to everything else! And that’s the problem!
If you have Visual Studio, say 2008, as I have, when web applications are constructed, one of the key things you’ll notice is the data-binding going on. The wizards and the help system are all permanently geared to doing this!
This is totally at-odds with a dynamically connected internet
This latest problem hangs around OLEDB32.dll In M$ shorthand, this stands for “Object Linking and Embedding Data Base 32-bit Dynamic Linked Library”
There we have it, Linking & Embedding. This is wonderful technology for putting spreadsheets in Word documents within the corporate offfice environment. However, when passing secure information over unsecured internet lines, it’s not! Of couse, you can delete oledb32.dll, but then you cannot access any data….doh!
Despite the continuous obvious failings of this methodology, just listen to the sanctimonious obfuscatory speech in their “Security Advisory” here: Microsoft Security Advisory (961051): Vulnerability in Internet Explorer Could Allow Remote Code Execution
Our investigation so far has shown that these attacks are only (my emphasis!) against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable
Basically, this means all their current operating systems and browsers! Not “only”….
The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.
Well that’s what’s wrong. So what are Microsoft going to do, I can hear you asking? It’s their software design, after all?
We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may (my emphasis) include providing a solution… Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of….having a firewall and anti-virus…
So Microsoft is looking, and if it gets worse they’ll let us know!!!
Let’s have the final word on this from the Secunia Advisory;
NOTE: Reportedly, the vulnerability is currently being actively exploited.
The vulnerability is confirmed in Internet Explorer 7 on a fully patched Windows XP SP3 and in Internet Explorer 6 on a fully patched Windows XP SP2, and reported in Internet Explorer 5.01 SP4. Other versions may also be affected.
We all bought into the “Welcome to Microsoft” world. We are all fully patched. Caveat Emptor.