Zero-Day IE 7 Flaw Discovered

Bug exploits XML tag

Though Microsoft onTuesday closed the books on its 2008 patch rollout cycle, it once again hasto contend with "Exploit Wednesday." This time, the problem is a zero-day Internet Explorer 7 flaw discovered Wednesday byBojan Zdrnja, a security analyst and researcher at the SANS Internet StormCenter.

Found in the wild a day after Microsoft released an IE patch addressing fourseparately reported private vulnerabilities, the bug creates an ExtensibleMarkup Language (XML) tag, then deliberately delays its process for 6 seconds -- presumably, Zdrnja said, "to thwart automatic crawlers by anti-virus vendors."

According to Zdrnja, the exploit could crash the browser ifsuccessful. This would force a restart that would allow malicious code topiggyback on the Web page code when the browser is reopened after reboot.

However, the researcher said only those using IE 7 and running Windows XP orWindows Server 2003 are affected by the bug.

For its part, Microsoft said in an e-mailed statement that it is"investigating new public claims of a possible vulnerability in InternetExplorer" without mentioning this exploit in particular. Microsoft continuedthat when it concludes its investigation, it will take action that "may includeproviding a security update through the monthly release process, anout-of-cycle update, or additional guidance to help customers protectthemselves." It is also encouraging anyone who might be affected to get assistance online or call Redmond's PC Safety hotlineat (866) PC-SAFETY.

According to Tyler Reguly, a security engineer for nCircle, "The release ofzero-day exploits, including this one, continues to reinforce the importance ofpracticing safe browsing and, to a larger extent, safe computing."

As for the notion that the growth of "Exploit Wednesdays" may promptMicrosoft to reconfigure its patch release frequency to respond more rapidly towild exploits in an increasingly real-time environment, security experts agreethat such a pursuit would be in vain. Neither Microsoft nor any other companycan realistically develop a patch for a single processing environment; rather,it needs to test various scenarios and software configurations.

"I don't believe the patch process can become more frequent than it is todayand still provide the same level of quality," said Eric Schultze, chieftechnology officer of Shavlik Technologies. "In my former life working atMicrosoft in the Security Response Unit, I saw Microsoft attempt to create andrelease patches quickly. Sometimes this leads to quality issues. In oneinstance, Microsoft released an Exchange Server patch four times within oneday. They tried to rush out the patch and got burned by it."

Some have suggested a more public beta program for Microsoft patches -- a"no-support, use-at-your-own-risk" sign-up so people can download patches priorto or during the the quality assurance and testing phases. "This would allowusers to test patches on their environment and make their own decision to usethem," nCircle's Reguly said. "You would still have the standard monthly patchrelease, but it provides a nice middle ground for those that want somethingfaster."

-- Jabulani Leffall