03 January 2013 | 1,057 views

Microsoft Rushes Out ‘Fix It’ For Internet Explorer 0-day Exploit

Check For Vulnerabilities with Acunetix

Pretty unusual for Microsoft but they’ve rushed out a fast fix for a 0-day Internet Explorer vulnerability which allows remote code execution and malware dropping. It doesn’t effect the latest version of Internet Explorer (9) but it effects all the common previous versions (6, 7 & 8) – which still accounts for the majority of users.

It is definitely important though, so I can appreciate their urgency. The sad part is most people that will fall for the scam sites that push out such malware won’t know about this patch, so they will remain at risk.

It will help a lot for corporates though managing the entire organization security as many are mandated to use Internet Explorer, and try and keep it secure..

Microsoft has pushed out a temporary fix to defend against a zero-day vulnerability that surfaced in attacks launched last week.

The security flaw (CVE-2012-4792) – which affects IE 6, 7 and 8 but not the latest versions of Microsoft’s web browser software – allows malware to be dropped onto Windows PCs running the vulnerable software, providing, of course, that users can be tricked into visiting booby-trapped websites.

Redmond has released a temporary Fix It (easy-to-apply workaround) pending the development of a more comprehensive patch.

The flaw was initially discovered by security tools firm FireEye on the Council on Foreign Relations website on 27 December.

The flaw was discovered right before the new year on December 27th, so Microsoft have managed to get this temporary fix out pretty fast. I’d imagine the full patch will be rolled into the next Windows Update Patch Tuesday.

I don’t expect anyone reading this is using Internet Explorer, so it wouldn’t effect us anyway – but seen as though you are probably at home over the holidays. Do us all a favour and install Chrome or Firefox on your relatives computers.

The attack had been running for at least a week, and perhaps longer, before it was detected. Retrospective analysis by Sophos suggests the same exploit was used on at least five additional websites, suggesting assaults using the bug are far from limited.

“While the assaults appeared to be targeting a small number of sites, there is no obvious link between the victims,” noted Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. “Some are referring to this as a ‘watering hole’ attack, but the evidence we have doesn’t necessarily support that conclusion.”

Security watchers advise either applying Redmond’s workarounds, upgrading to IE 9 or using an alternative browser – at least until a proper patch becomes available. The next patch Tuesday is coming up on 8 January. This doesn’t give Microsoft much time but given the high-profile nature of the vulnerability it’s likely that Redmond will release a patch sooner rather than later.

It was exploited for a week at least before discovery, so that’d give a date of around December 20th when it was first seen in the wild. The next Patch Tuesday is coming in 5 days, so we might even see an emergency out of bounds patch for this so it gets pushed out via Windows Update to the masses.

You can check out the Fix It here:

Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution

Source: The Register



Recent in Exploits/Vulnerabilities:
- Hacking Your Fridge – Internet of Things Security
- Important OpenSSL Patch – 6 More Vulnerabilities
- Spotify Hacked – Rolls Out New Android App

Related Posts:
- Microsoft Confirms Internet Explorer 0-Day
- 2 Different Hacker Groups Exploit The Same IE 0-Day
- Microsoft Breaks Patch Cycle to Issue IE Patch

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 226,931 views
- AJAX: Is your application secure enough? - 119,052 views
- eEye Launches 0-Day Exploit Tracker - 85,036 views

Advertise on Darknet

3 Responses to “Microsoft Rushes Out ‘Fix It’ For Internet Explorer 0-day Exploit”

  1. altonius 3 January 2013 at 7:58 pm Permalink

    MS’s advance security advisory notification for January has now been released and there’s nothing in there for IE6,7 and 8… They still could add it in at a later date.

  2. anon 14 January 2013 at 6:40 pm Permalink

    As always, great reporting. Quick comment –> it’s affect, not effect.

    • Darknet 21 January 2013 at 8:45 am Permalink

      Haha thanks, and yah…..that one always gets me.