On December 17, 2008, Microsoft released security bulletin MS08-078, designed to patch a critical vulnerability affecting all supported versions of Internet Explorer, and even IE8 Beta 2, as well as the Beta version of IE on Windows 7 pre-Beta. The security update will resolve the Pointer Reference Memory Corruption vulnerability, which Microsoft informed to be actively exploited in the wild, with attacks targeting Internet Explorer 7.

“The vulnerability exists as an invalid pointer reference in the data binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable,” Microsoft informed.

Terry McCoy, program manager, Internet Explorer Security, emphasized that the Critical IE pointer reference memory corruption vulnerability was remotely exploitable, and advised all IE users to patch their systems. According to Mike Reavey, director, Microsoft Security Response Center, the software giant learned of attacks on December 9. The next day, Microsoft published documentation allowing IE users to bulletproof their browsers against attacks via a series of mitigations. On December 17, the Microsoft Security Bulletin MS08-078 was released to Windows Update.

“After rigorous development and testing, we released the update to customers. Some customers that follow us closely, might know that saying 'the update' is a bit misleading, as it is actually over 300 distinct updates for over six versions of Internet Explorer that apply to over 50 different languages. And despite this huge number of distinct updates, they’re all being offered to customers automatically, regardless of their specific Internet Explorer configuration,” Reavey stated.

Follow this link for the security updates designed to patch Internet Explorer 8 (IE8) in Windows 7 pre-Beta, and Internet Explorer 7 on Windows Vista SP2 Beta and Windows Server 2008 SP2. The patches for IE5, IE6, and IE7 running on supported versions of the Windows client and server operating systems are available through Windows Update (just make sure that Automatic Updates are enabled in the settings). The updates for IE8 Beta 2 are available for download from the following links:

 

Security Update for Internet Explorer 8 Beta 2 for Windows XP (KB960714)
Security Update for Internet Explorer 8 Beta 2 for Windows XP x64 Edition (KB960714)
 

Security Update for Internet Explorer 8 Beta 2 for Windows Server 2003 (KB960714) Security Update for Internet Explorer 8 Beta 2 for Windows Server 2003 x64 Edition (KB960714)


Security Update for Internet Explorer 8 Beta 2 in Windows Vista (KB960714) Security Update for Internet Explorer 8 Beta 2 in Windows Vista x64 Edition (KB960714)


Security Update for Internet Explorer 8 Beta 2 in Windows Server 2008 (KB960714) Security Update for Internet Explorer 8 Beta 2 for Windows Server 2008 x64 Edition (KB960714)