Zero-Day IE 7 Flaw Discovered

Microsoft once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day IE 7 flaw discovered soon after the Patch Tuesday release.

Though Microsoft on Tuesday closed the books on its 2008 patch rollout cycle, it once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day Internet Explorer 7 flaw discovered Wednesday by Bojan Zdrnja, a security analyst and researcher at the SANS Internet Storm Center.

Found in the wild a day after Microsoft released an IE patch addressing four separately reported private vulnerabilities, the bug creates an Extensible Markup Language (XML) tag then deliberately delays its process for 6 seconds -- presumably, Zdrnja said, "to thwart automatic crawlers by anti-virus vendors."

According to Zdrnja, the exploit could crash the browser if successful. This would force a restart that would allow malicious code to piggyback on the Web page code when the browser is reopened after reboot.

However, the researcher said only those using IE 7 and running Windows XP or Windows Server 2003 are affected by the bug.

For its part, Microsoft said in an e-mailed statement that it is "investigating new public claims of a possible vulnerability in Internet Explorer" without mentioning this exploit in particular. Microsoft continued that when it concludes its investigation, it will take action that "may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves." It is also encouraging anyone who might be affected to get assistance online or call Redmond's PC Safety hotline at (866) PC-SAFETY.

According to Tyler Reguly, a security engineer for nCircle, "The release of zero-day exploits, including this one, continues to reinforce the importance of practicing safe browsing and, to a larger extent, safe computing."

As for the notion that the growth of "Exploit Wednesdays" may prompt Microsoft to reconfigure its patch release frequency to respond more rapidly to wild exploits in an increasingly real-time environment, security experts agree that such a pursuit would be in vain. Neither Microsoft nor any other company can realistically develop a patch for a single processing environment; rather, it needs to test various scenarios and software configurations.

"I don't believe the patch process can become more frequent than it is today and still provide the same level of quality," said Eric Schultze, chief technology officer of Shavlik Technologies. "In my former life working at Microsoft in the Security Response Unit, I saw Microsoft attempt to create and release patches quickly. Sometimes this leads to quality issues. In one instance, Microsoft released an Exchange Server patch four times within one day. They tried to rush out the patch and got burned by it."

Some have suggested a more public beta program for Microsoft patches -- a "no-support, use-at-your-own-risk" sign-up so people can download patches prior to or during the the quality assurance and testing phases. "This would allow users to test patches on their environment and make their own decision to use them," nCircle's Reguly said. "You would still have the standard monthly patch release, but it provides a nice middle ground for those that want something faster."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.