Microsoft is planning to ship an emergency Internet Explorer update tomorrow (December 17) to counter an escalating wave of malware attacks targeting a zero-day browser vulnerability.
The out-of-band update, which will be rated critical, follows the public discovery of password-stealing Trojans exploiting the bug on Chinese-language Web sites. Over the past week, the attacks have expanded with hackers using SQL injection techniques to seed exploits on legitimate Web sites.
[ GALLERY: How to configure Internet Explorer to run securely ]
This will be the second out-of-band update from the MSRC (Microsoft Security Response Center) in the last two months. Back in October, the company shipped MS08-067 to plug an extremely critical worm hole that affected Windows 2000, Windows XP and Windows Server 2003.
The IE patch will be available for all supported versions of the browser. According to this pre-patch advisory from Microsoft, the in-the-wild attacks have targeted IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008.
The actual flaw exists in the way IE handles DHTML Data Bindings:
Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference.
* Image source: jmv's Flickr photostream (Creative Commons 2.0)