If you are using a computer running Internet Explorer 8, you should download an emergency patch to stop an exploit that hackers have been using to attack computers in the US government. The vulnerability was reported last Friday, and Microsoft released this fix and another work-around yesterday. Microsoft says it it ‘are hard at work developing a comprehensive security update.’
Internet Explorer 8 still accounts for 5.3% of Internet Explorer users (more than IE 9), although Microsoft reports that attacks have so far been ‘limited’. They are also sure that the vulnerability does not exist in other versions of Internet Explorer.
A Zero Day Exploit is one that targets a vulnerability that no one was aware of before. Any attack on this kind of vulnerability therefore happens on ‘day zero’ of our awareness of the problem. These exploits require fast responses by developers of the attacked applications.
Microsoft explained how the exploit works:
The vulnerability is exposed due to a page layout issue, triggered when Internet Explorer 8 is trying to calculate layout information for nodes no longer in the DOM tree. The issue is caused by layout structures that are not properly cleaned up and contain dangling pointers to page elements.
When the layout is updated, the browser crashes due to accessing the freed memory. The code that cleans up the dead links already exists, but it runs after the layout structures are accessed. The solution is to move the cleanup logic before the layout structure access.
It’s a very technical explanation, but the solution is simple. Download the fix from Microsoft here. You will then be safe, and a further security update will be delivered at a later date.
It’s always recommended to keep your browser up to date to make your browsing as safe as possible. Internet Explorer 8 is the last version of the browser that runs on Windows XP, which will no longer be supported by Microsoft from April 2014.
