Zero-Day IE 7 Flaw Discovered

Microsoft once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day IE 7 flaw discovered soon after the Patch Tuesday release.

Though Microsoft on Tuesday closed the books on its 2008 patch rollout cycle, it once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day Internet Explorer 7 flaw discovered Wednesday by Bojan Zdrnja, a security analyst and researcher at the SANS Internet Storm Center.

Found in the wild a day after Microsoft released an IE patch addressing four separately reported private vulnerabilities, the bug creates an Extensible Markup Language (XML) tag then deliberately delays its process for 6 seconds -- presumably, Zdrnja said, "to thwart automatic crawlers by anti-virus vendors."

According to Zdrnja, the exploit could crash the browser if successful. This would force a restart that would allow malicious code to piggyback on the Web page code when the browser is reopened after reboot.

However, the researcher said only those using IE 7 and running Windows XP or Windows Server 2003 are affected by the bug.

For its part, Microsoft said in an e-mailed statement that it is "investigating new public claims of a possible vulnerability in Internet Explorer" without mentioning this exploit in particular. Microsoft continued that when it concludes its investigation, it will take action that "may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves." It is also encouraging anyone who might be affected to get assistance online or call Redmond's PC Safety hotline at (866) PC-SAFETY.

According to Tyler Reguly, a security engineer for nCircle, "The release of zero-day exploits, including this one, continues to reinforce the importance of practicing safe browsing and, to a larger extent, safe computing."

As for the notion that the growth of "Exploit Wednesdays" may prompt Microsoft to reconfigure its patch release frequency to respond more rapidly to wild exploits in an increasingly real-time environment, security experts agree that such a pursuit would be in vain. Neither Microsoft nor any other company can realistically develop a patch for a single processing environment; rather, it needs to test various scenarios and software configurations.

"I don't believe the patch process can become more frequent than it is today and still provide the same level of quality," said Eric Schultze, chief technology officer of Shavlik Technologies. "In my former life working at Microsoft in the Security Response Unit, I saw Microsoft attempt to create and release patches quickly. Sometimes this leads to quality issues. In one instance, Microsoft released an Exchange Server patch four times within one day. They tried to rush out the patch and got burned by it."

Some have suggested a more public beta program for Microsoft patches -- a "no-support, use-at-your-own-risk" sign-up so people can download patches prior to or during the the quality assurance and testing phases. "This would allow users to test patches on their environment and make their own decision to use them," nCircle's Reguly said. "You would still have the standard monthly patch release, but it provides a nice middle ground for those that want something faster."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.