Microsoft delivering fix to counter zero-day IE exploits
- By Kevin McCaney
- Sep 20, 2012
Microsoft says it will release a patch on Friday for the zero-day vulnerability in Internet Explorer that has prompted some security researchers to urge IE users to switch browsers.
The out-of-band patch will be issued about 1 p.m. Eastern time, according to an advisory from the Microsoft Security Response Center, which recommended that the patch be installed “as soon as it is available.”
Meanwhile, the company issued a Fix-it for the flaw, which Microsoft said was one-click solution that would provide protection without rebooting. But it’s only a temporary fix.
Zero-day exploit targets IE; some researchers advise switching browsers
An exploit for the flaw in multiple versions of IE was discovered last weekend by security researcher and blogger Eric Romang. Shortly afterward, Jamie Blasco, a researcher at AlienVault, found three other exploits targeting defense contractors in the United states and India.
The vulnerability, which was found being exploited in relatively small numbers, would let malware use a Flash animation to bypass security measures and allow a hacker to remotely execute code. It would attack when a user visited a vulnerable website.
The exploits were attributed to a hacker group in China dubbed Nitro, which in 2011 had attacked systems in the chemical industry and some defense contractors, and recently was found to be exploiting a zero-day flaw in Java 7 that Oracle has since patched. Romang said some of the IE exploits were found to be coming from the same server as the Java attacks.
The IE flaw affects versions 6, 7, 8 and 9 running on just about any version of Windows. And considering that that covers about 40 percent of users in North America, security experts advised people to switch to another browser, such as chrome or Firefox, until a patch is issued. In Germany, the government even made the appeal official, with the country’s Federal Office for Information Security urging people to switch browsers.
Prior to issuing the fix-it on Sept. 19, Microsoft had recommended that IE users install the company’s Enhanced Mitigation Experience Toolkit as a temporary measure, while setting Internet security settings to high to block ActiveX controls and Active Scripting.
Yunsun Wee, director of Microsoft’s Trustworthy Computing initiative, said Friday’s patch would be cumulative, and also said the company will hold a webcast on the issue Friday at 3 p.m. Eastern. Interested people can register here.
Kevin McCaney is a former editor of Defense Systems and GCN.