Zero-Day IE 7 Flaw Discovered

Microsoft once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day IE 7 flaw discovered soon after the Patch Tuesday release.

Though Microsoft on Tuesday closed the books on its 2008 patch rollout cycle, it once again has to contend with "Exploit Wednesday." This time, the problem is a zero-day Internet Explorer 7 flaw discovered Wednesday by Bojan Zdrnja, a security analyst and researcher at the SANS Internet Storm Center.

Found in the wild a day after Microsoft released an IE patch addressing four separately reported private vulnerabilities, the bug creates an Extensible Markup Language (XML) tag then deliberately delays its process for 6 seconds -- presumably, Zdrnja said, "to thwart automatic crawlers by anti-virus vendors."

According to Zdrnja, the exploit could crash the browser if successful. This would force a restart that would allow malicious code to piggyback on the Web page code when the browser is reopened after reboot.

However, the researcher said only those using IE 7 and running Windows XP or Windows Server 2003 are affected by the bug.

For its part, Microsoft said in an e-mailed statement that it is "investigating new public claims of a possible vulnerability in Internet Explorer" without mentioning this exploit in particular. Microsoft continued that when it concludes its investigation, it will take action that "may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves." It is also encouraging anyone who might be affected to get assistance online or call Redmond's PC Safety hotline at (866) PC-SAFETY.

According to Tyler Reguly, a security engineer for nCircle, "The release of zero-day exploits, including this one, continues to reinforce the importance of practicing safe browsing and, to a larger extent, safe computing."

As for the notion that the growth of "Exploit Wednesdays" may prompt Microsoft to reconfigure its patch release frequency to respond more rapidly to wild exploits in an increasingly real-time environment, security experts agree that such a pursuit would be in vain. Neither Microsoft nor any other company can realistically develop a patch for a single processing environment; rather, it needs to test various scenarios and software configurations.

"I don't believe the patch process can become more frequent than it is today and still provide the same level of quality," said Eric Schultze, chief technology officer of Shavlik Technologies. "In my former life working at Microsoft in the Security Response Unit, I saw Microsoft attempt to create and release patches quickly. Sometimes this leads to quality issues. In one instance, Microsoft released an Exchange Server patch four times within one day. They tried to rush out the patch and got burned by it."

Some have suggested a more public beta program for Microsoft patches -- a "no-support, use-at-your-own-risk" sign-up so people can download patches prior to or during the the quality assurance and testing phases. "This would allow users to test patches on their environment and make their own decision to use them," nCircle's Reguly said. "You would still have the standard monthly patch release, but it provides a nice middle ground for those that want something faster."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft Adds Privileged Identity Management Delegation to Azure Lighthouse

    The commercial release of Privileged Identity Management (PIM)-enabled Azure Lighthouse delegations is now available, Microsoft on Monday announced.

  • Microsoft Commercially Releases Entra Workload Identities

    Microsoft announced on Monday that its Entra Workload Identities service is now available as a commercial product offering, having reached the "general availability" stage.

  • The 2022 Microsoft Product Roadmap

    Microsoft has a lot in the docket for 2022, including new products like SQL Server 2022, Exchange Subscription Edition and Visual Studio 2022 for Mac.

  • OpenSSF Adopts Microsoft Open Source Software Security Guidelines

    The Open Source Security Foundation (OpenSSF) announced on Wednesday that it has adopted the Secure Supply Chain Consumption Framework (S2C2F) for ensuring the secure use of open source software (OSS) by developers.