http://www.crn.com/security/212501021
[
Microsoft (NSDQ:MSFT) issued an out-of-band emergency patch Wednesday for a
zero-day Internet Explorer vulnerability that has opened the door for hackers to
install malware on susceptible computers without any user intervention.
The flaw, which is given the highest severity rating of critical, affects all
versions of Microsoft's IE Web browser. Specifically, Microsoft's IE update
affects versions of Windows 2000 for IE 5.01: XP, XP Professional, Server 2003
for IE 6; and XP, Server 2003, Vista, Server 2008 for IE 7. The vulnerability
was reported after the release of Windows IE 8 Beta 2, but Microsoft still
recommends in its advisory that users apply the patch.

The IE security problem is the result of a fundamental flaw in the browser's
data binding function, which ultimately leaves a hole in the memory space that
can be accessed by remote hackers. Internet Explorer can then quit unexpectedly
while in an exploitable state.

Unlike other exploits, users have only to visit a malicious site infused with
Trojans or other malware in order to become infected. Hackers can also entice
victims to visit a specially crafted site, usually via some kind of phishing or
social engineering scheme, or place infected banner ads on legitimate Web sites.
.....
]