Microsoft has confirmed that the unpatched bug being exploited in Internet Explorer 7 (IE7) also exists in older versions of the browser.
Meanwhile, a security researcher from Danish company added that Microsoft's original countermeasure advice was insufficient, and recommended users take one of the new steps the company spelled out.
In a revised security advisory, Microsoft said research confirmed that the bug is within all its browsers, including those it currently supports - IE5.01, IE6 and IE7 - as well as IE8 Beta 2, a preview version the company doesn't support through normal channels. Users running any of those browsers on Windows 2000, XP, Vista, Server 2003 or Server 2008 are at risk, Microsoft said.
Even so, the company continued to downplay the severity of the threat. "At this time, we are aware only of limited attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said the advisory.
Microsoft also spelled out the root of the problem, saying that the bug is in IE's data binding functionality, and not, contrary to earlier reports by independent security researchers, in the HTML rendering code.
"The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer," said Microsoft. "When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable."
Microsoft also hinted that the "oledb32.dll" file contains the bug when it added recommendations that users disable or cripple the .dll's function as stop-gap measures. Oledb32.dll is a component of Microsoft Data Access, a collection of technologies for accessing different types of data in a uniform fashion. "OLEDB" stands for "Object Linking and Embedding, Database."
Danish security company Secunia ASP claimed that its research, which it said has been passed along to Microsoft, identified the vulnerability's true nature. "After having published our initial advisory concerning this [zero]-day, one of my guys was therefore tasked with figuring out the exact nature of the problem," said Carsten Eiram, chief security specialist at Secunia, in a blog. "It turned out that a lot of available information and assumptions were wrong."
Among those, said Eiram, was the belief that the vulnerability existed only in IE7 and was related to XML processing - as some, including Secunia, first thought.
Also incorrect, or at least partly so, is the idea that setting IE's Internet security zone to "High" and disabling scripting will keep one safe from attack, added Eiram. "Technically no ... it is still possible to trigger the vulnerability," he said. "However, it does make exploitation trickier as it protects against attacks using scripting."
Instead, Eiram said, users should disable the "oledb32.dll" file by editing the Windows registry as per the revised Microsoft advisory.
Microsoft has not disclosed a timetable for patching the problem, and did not reply to questions Friday about its plans.
One researcher is betting that Microsoft will again unveil an emergency "out-of-cycle" patch. "It's always difficult to guess with Microsoft," said Andrew Storms, director of security operations at nCircle Network Security. "[But] since they do know so much about the exploit, I would place a wager that they already have the fix and are doing QA."
The last time Microsoft issued an "out-of-cycle" patch was late October, when it fixed a flaw in Windows that hackers were already exploiting.
"Whether or not they will decide it warrants [out-of-cycle] and if it makes sense to issue instead of waiting, well, we will just have to wait and see," added Storms. "One thing is certain, this is getting a lot of attention at a time when Microsoft just released a bumper crop of client-side patches. They aren't scoring any points with Santa this December."
Last week, Microsoft released eight security updates that patched 28 vulnerabilities, 23 of them pegged "critical." Both numbers broke previous records that stretched back more than five years.