Microsoft is reporting that a serious zero day flaw has been discovered in almost every version of Internet Explorer.

The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object’s memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.

Even more serious is the flaw can still get you if you have User Access Control enabled in Vista. Microsoft is suggesting at this time to set your security level to high for the Internet security zone, or disable active scripting. These are nice measures, but they still do not guarantee that you are safe from this flaw.

Microsoft has not yet said if they will do another out of band release, but it seems like it is serious enough that they will – once they engineer a fix that won’t break everything.

So my suggestion is (If you can) use FireFox, or another third party browser. Once the bad guys know this flaw exists they will do everything they can to exploit it.

Here are a few more informative links on the issue:

Technet clarification to workaround

McAfee’s report on the issue

Original Security Advisory from Microsoft

Like this article? Then sign up for my newsletter to get free tips and software sent right to your inbox once a week. Like you, I hate spam – I will never spam, or sell your email address.