Zap Zero-Day IE Attack Before It Zaps You

— -- I feel some nostalgia as I write this column because, after penning Bugs & Fixes for eight and a half years--102 columns total--it's time for me to sign off. I've immensely enjoyed writing for you through all those years, and I'm grateful that PC World gave me the opportunity to do so.

I've always had two goals in mind: helping you ward off current threats, and providing useful information about how security holes and attacks on them work, so you'll be better prepared to deal with future problems. I hope that I have fulfilled at least the spirit of those goals. Now, as my dad back in Montana used to say: "nuff said."

The bugs keep marching along, though, and this month is no exception. Let's start off with Microsoft.

Despite recently patching more bugs-including 23 critical vulnerabilities-than it has at any other single time in the past five years, the company got blindsided by a previously unknown bug present in all supported versions of Internet Explorer (including IE 8 Beta 2).

That bug quickly spawned a wave of zero-day attacks online, as bad guys struck via the Web before Microsoft had devised any patch or workaround for it.

The bug affects a key function known as "data binding" that IE relies on in dealing with a Web language called XML; the hole involves a failure to free memory properly when it's no longer needed.

A malicious program could exploit the bug by loading its own code into the surplus memory in order to take over your PC. If you visited a booby-trapped site or clicked on a poisoned link in an e-mail, not even setting your IE security levels to maximum would have stopped it.

Microsoft's developers rushed out a fix to plug the hole, but the effort took a week; meanwhile the attacks spread. Don't get me wrong: Hammering out a major correction in just eight days is no small feat. And Microsoft recognized that the threat was scary enough to justify releasing the patch "out-of-cycle", rather than waiting for the next "Patch Tuesday."

Since it needed to get the patch out pronto, Microsoft didn't offer the IE fix as a "cumulative update." That's an indication of how dangerous Microsoft's security team considered this bug.

Because attacks have occurred "in the wild," Microsoft urges you to get the patch ASAP (if you don't have automatic updates enabled) from its Microsoft Security Bulletin MS08-078 page.

What about the other 23 critical bugs? I can't cover them all here, but these are the ones that seem most important:

Before the zero-day attacks hit, Microsoft released a cumulative patch for IE that fixes four critical holes in IE versions 5.01 (on Windows 2000 SP4) up through IE7 (on Vista SP1). Several of the weaknesses are technically similar to the zero-day attack hole.

Unlike Microsoft's out-of-cycle patch, none of the 23 vulnerabilities have been attacked yet. As usual, be diligent about keeping your updates up-to-date. Click over to Microsoft Security Bulletin MS08-073 for more info and for a link to the patches. Microsoft also patched two holes in Windows' graphics device interface, which allows programs to show text and graphics in the Windows Metafile format, a file format typically used for line art, illustrations, and presentations. You might think you're loading an image when, in reality, you've already been compromised As usual, to be attacked, all you'd need to do is visit a malicious Web site or click on a link to it in an e-mail.

If you don't already get updates automatically, see Microsoft Security Bulletin MS08-071 for more info and a link to the patch.

Two more holes--this time in Windows Search for Windows Vista--could result in complete loss of control over your PC. Like the IE bug, one of the holes in Search leaves itself open when it attempts to free up previously used memory. Vista has a capability called Windows Search that indexes your system to provide faster search results and to let you store searches for reuse later. The ploy that one of the bugs uses is to induce you to open and save a rigged search file by following an errant link in an e-mail or on a booby-trapped site. All stick-in-the-muds who still use Windows XP are safe. Only Vista systems (including SP1 and the SP2 Beta) is at risk. Get more information from Microsoft Security Bulletin MS08-075.

As they say on TV: But wait, there's more! Microsoft also patched a slew of bugs in Office, including a critical bug affecting Word 2007. Read more about all of these bugs and their patches at the Microsoft Security Bulletin summary page for December 2008.

The latest zero-day attacks have prompted some pundits to renew their recommendation that IE users change to Firefox. While I don't disagree with that advice, hackers are likely to pay more attention to Firefox--and thus to find more holes in it--as it gains market share against IE.

To keep Firefox secure, the folks at Mozilla have assembled a new update for the browser that patches a batch of security holes, several of them critical. One bug dwells in the browser's session-restore feature. Others could let an attacker take advantage of holes in Firefox's JavaScript (a popular Web programming language) engine to let an attacker take over your PC.

This release--Firefox 2.0.0.20--will be the final security update for the Firefox 2 line, Mozilla officials announced in a blog post. Why? It makes sense to support a single code base, so Mozilla is urging users to move to Firefox 3 (currently at version 3.0.5). Eight of the new patches are apply to both version 2 and version 3.

If you don't already have the update installed via Firefox's auto update feature, you can get it at Mozilla's Firefox downloads page. From the browser, select Help,Check for Updates.

That's it for me. I hope to see you all again sometime, farther down the information superhighway.