Latest updates from Microsoft: the critical remote execution bug which we already talked about affects all IE versions (included IE8 beta) on every supported Windows operating system.
The bulletin also corrects some early assumptions about this unpatched vulnerability, which is being actively exploited in the wild from apparently legitimate sites infected through automated SQL injections:
- The hole is in data binding, and not in XML processing like many (me too) reported initially.
- Increasing the security level of the Internet Zone to "High" and disabling active scripting does not suffice to protect you, even if it makes attacker's life slightly harder. Not harder than yours, though, since Microsoft's "Security Zones" have nothing of NoScript's usability...
The only work-around suggested by Microsoft is disabling both active scripting and the OLEDB32 library, which is unluckily required by most applications working with databases.
So, do you really want to keep inflicting yourself that blue "e"? Or are you ready for a red panda?