A dangerous Internet Explorer exploit has pushed Microsoft to do an out-of-cycle patch. If the complete-system-ownage aspect of the bug isn't scary enough, there are already several exploits floating around on the Internet, even being served out as malicious ads on reputable sites.Historically, December has been a stale fruitcake of a month for the Microsoft security mavens. In December 2006 there was the Windows Metafile exploit which, like this new threat, was serious enough for Microsoft to release an emergency patch.

This new threat has something else in common with that older WMF exploit in that it supports a Microsoft-specific feature that is largely obsolete: DHTML data binding. When this feature was introduced with Internet Explorer 4.0 in 1997, it was an innovative way for a Web page designer to selectively load just part of a page.

DHTML data binding never spread to other browsers. Instead, the Internet world warmed to Ajax and DOM operations to build dynamic Web pages. That left Internet Explorer with yet another unhealthy feature. Few people use it, but since it's there it offers an attack surface for the bad guys. Even the IE8 beta is susceptible to this exploit -- proving, I guess, that it's fully compatible with IE6 and IE7.

The IE8 team has been doing some great work to bring Internet Explorer up to par as far as features and performance go. This latest security problem is a reminder that there are still plenty of dark code corners in Internet Explorer that, although rarely visited, can be extremely dangerous. Before IE8 ships, Microsoft should go through and remove or disable as many of these as possible.