Microsoft Internet Explorer Data Binding Vulnerability

Original release date: December 17, 2008
Last revised: --
Source: US-CERT

Systems Affected

• Microsoft Internet Explorer
• Microsoft Outlook Express
• Other software that uses Internet Explorer components to render documents

Overview

A vulnerability in Internet Explorer could allow an attacker to take control of your computer.

Solution

Apply an update

The updates to address these vulnerabilities are available on the Microsoft Update site. We recommend enabling Automatic Updates.

Disable Active Scripting

This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the Securing Your Web Browser document. Note that this will not block the vulnerability, but it will help to protect your computer against a common method used to execute this vulnerability.

Enable DEP in Internet Explorer 7

Enabling DEP in Internet Explorer 7 on Windows Vista can help mitigate this vulnerability by making it more difficult to achieve code execution using this vulnerability.

Description

When rendering certain documents, Internet Explorer may crash or allow an attacker to run code on your computer. The attacker could install malicious software or access sensitive personal information. Attackers are actively exploiting this vulnerability.

For more technical information, see US-CERT Technical Alert TA08-352A and US-CERT Vulnerability Note VU#493881.

References

• US-CERT Technical Cyber Security Alert TA08-352A - <http://www.us-cert.gov/cas/techalerts/TA08-352A.html>
• Microsoft Security Bulletin MS08-078 - <https://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>
• US-CERT Vulnerability Note VU#493881 - <http://www.kb.cert.org/vuls/id/493881>
• Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

---

Feedback can be directed to US-CERT.

---

Produced 2008 by US-CERT, a government organization. Terms of use

Revision History

December 17, 2008: Initial release