Microsoft Internet Explorer Data Binding Vulnerability

Original release date: December 17, 2008
Last revised: --
Source: US-CERT

Systems Affected

• Microsoft Internet Explorer
• Microsoft Outlook Express
• Other software that uses Internet Explorer components to render documents

Overview

Microsoft Internet Explorer contains an invalid pointer vulnerability in its data binding code, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Exploit code for this vulnerability is publicly available and is being actively exploited.

I. Description

Microsoft Internet Explorer contains an invalid pointer vulnerability in its data binding code. When Internet Explorer renders a document that performs data binding, it may crash in a way that is exploitable to run arbitrary code. Any program that uses Internet Explorer's MSHTML layout engine, such as Outlook Express, may be at risk. Further details are available in US-CERT Vulnerability Note VU#493881.

II. Impact

By convincing a user to view a specially crafted document that performs data binding (e.g., a web page or email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.

III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS08-078. This update provides new versions of mshtml.dll and wmshtml.dll, depending on the target operating system. More details are available in Microsoft Knowledge Base Article 960714.

Disable Active Scripting

This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the Securing Your Web Browser document. Note that this will not block the vulnerability. IE still may crash when parsing specially crafted content. Disabling Active Scripting will mitigate a common method used to achieve code execution with this vulnerability.

Enable DEP in Internet Explorer 7

Enabling DEP in Internet Explorer 7 on Windows Vista can help mitigate this vulnerability by making it more difficult to achieve code execution using this vulnerability.

Additional workarounds

Microsoft Security Bulletin MS08-078 provides additional details for the above workarounds, as well as other workarounds not listed here. These workarounds are further explained in the Microsoft SWI Blog.

IV. References

• Microsoft Security Bulletin MS08-078 - <https://www.microsoft.com/technet/security/bulletin/ms08-078.mspx>
• MS08-078: Security update for Internet Explorer - <http://support.microsoft.com/kb/960714>
• Microsoft Security Advisory (961051) - <http://www.microsoft.com/technet/security/advisory/961051.mspx>
• Update on Internet Explorer 7, DEP and Adobe Software - <http://blogs.msdn.com/michael_howard/archive/2006/12/12/update-on-internet-explorer-7-dep-and-adobe-software.aspx>
• Data Binding - <http://msdn.microsoft.com/en-us/library/ms531388(vs.85).aspx>
• MSHTML Reference - <http://msdn.microsoft.com/en-us/library/aa741317.aspx>
• US-CERT Vulnerability Note VU#493881 - <http://www.kb.cert.org/vuls/id/493881>
• Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer>

---

Feedback can be directed to US-CERT.

---

Produced 2008 by US-CERT, a government organization. Terms of use

Revision History

December 17, 2008: Initial release