Microsoft has just released a out-of-band critical patch for Internet Explorer
it is highly recommended from Microsoft that all Microsoft Product Users apply this update to avoid 0 day exploits to their local workstations and Terminal Servers.
Apparently MS08-78 does not replace MS08-73 that was released early this month so if you want to make sure the browser is completely up to date you will need to load this as well. - MS08-073 although if you downloaded the last Windows Security it was probably included. But it never hurts to make sure.
McAffee Advert Labs
- Warns of Microsoft Word docs being sent to users as attachments that have embedded Active X controls. The control once loaded calls a web site that is hosting the IE7 exploit and executed without the user even knowing this has happened
For the time being even after the update (one never knows) it might be easier to change your Internet Security Settings to "High" for at least the Internet Zone and then add your trusted sites. For other work arounds including disabling XML Island functionality and the use of OLEDB32.dll see:
Also See:
CVE: 2008-4844 - "Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements."
Ref: ZDNET 0 Day Blog
Leave a comment