Well a little update on the new Internet Explorer XML Handling Zero Day. Firstly it seems this issue is now confirmed by Microsoft Security Response Center and they are investigating and monitoring the active exploitation of the issue.

Additionally it seems the issue affects more than just Internet Explorer 7.0, but in fact potentially affects all supported versions of Internet Explorer according to the Microsoft Security Advisory (961051). This includes Internet Explorer 5.01 Service Pack 4, Internet Explorer 6 Service Pack 1, Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows.

Although various sources are claiming there is limited active use of the exploit in the wild. It is likely this will change, as samples of exploit code have been circulating in the Internet for a few days now. Additionally a new exploit module for this issue has been added to the Metasploit Framework. The Metasploit module uses memory protection bypass techniques introduced earlier this year by Mark Dowd and Alexander Sotirov and is capable of bypassing NX, ASLR, and DEP on modern platforms. Which basically allows the exploit to be just as effective as it is on Windows Vista and Windows 2008 as it is on Windows XP and Windows 2003.

With the readily available exploit code it is likely we will see the exploit being ported to different languages and see it’s inclusion in more and more exploit kits and other malicious sites. We have also seen a number of reports that indicate that variants of the exploit are also being spread using SQL-injection and XSS attacks against sites. As a result this could see the inclusion of the exploit code within various more legitimate and trusted sites.

At this stage Microsoft have included within their advisory a number of potential workarounds to help mitigate the problem. However, at this time the best fix is to use a different browser that is not vulnerable or wait till Microsoft release a fix. At this time there is no indication that Microsoft will be releasing an out of band patch for the issue, but they may if for instance this vulnerability gets as active as the .ANI file vulnerability of a couple of years ago.