Microsoft have released a fix today for the Internet Explorer Binding Issue that has been exploited in the wild for the past month or so.

The patch is MS08-078 it is rated as we all know Critical, or else Microsoft would not have bothered releasing an out of band patch. The fix addresses the Internet Explorer data binding issue that has previously been exploited in the wild using specially crafted XML and Javascript.

The issue addresses all supported versions of Internet Explorer on all Windows versions from Windows 2000 through Windows Vista and Windows 2008. The issue is listed as CVE-2008-4844 as Pointer Reference Memory Corruption Vulnerability.

The long and the short of it is when data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This will cause Internet Explorer to exit unexpectedly and will allow code execution.