IE zero-day attack surface expands

The attack surface for password-stealing Trojans currently targeting an unpatched flaw in Microsoft's Internet Explorer has expanded to include all versions of the browser, including the newest IE 8 Beta 2.

Microsoft released an updated advisory to warn that the underlying flaw affects much more than IE 7 and to spread the word about additional workarounds that can help limit the damage from actual attacks.

Here's how your protect yourself in the interim:

[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]

Set Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones:

1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.  If no slider is visible, click Default Level, and then move the slider to High.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

Enable DEP for Internet Explorer 7

1. In Internet Explorer, click Tools, click Internet Options, and then click Advanced.
2. Click Enable memory protection to help mitigate online attacks.

(NOTE: Some browser extensions may not be compatible with DEP and may exit unexpectedly. If this occurs, you can disable the add-on, or revert the DEP setting using the Internet Control Panel. This is also accessible using the System Control panel).

Microsoft's latest advisory also includes technical instructions on how to use ACL to disable OLEDB32.DLL, how to Unregister OLEDB32.DLL and how to Disable Data Binding support in Internet Explorer 8.

IE users should bear in mind that there's a growing list of exploitive sites taking aim at this vulnerability and now that the exploit code is publicly available, the threat will certainly grow in the coming days and weeks.

Until Microsoft can issue a patch -- out-of-cycle or otherwise -- you should consider using an alternative browser like Mozilla Firefox or Opera.   If you must use Internet Explorer, be sure to securely configure the browser with the mitigations described above.

* Image source: hashmil's Flickr photostream (Creative Commons 2.0).