Microsoft patches zero-day Internet Explorer flaw

 

Gallery

By Stewart Mitchell

Posted on 14 Jan 2013 at 10:25

Microsoft will release an out-of-band update to fix a critical zero-day flaw in Internet Explorer later today.

Discovered at the end of December, the vulnerability affected IE versions 6, 7 and 8 and allowed hackers run remote code on user machines after infected websites distributed the malware.

The Microsoft issued a temporary fix shortly after the critical flaw was discovered, but the company said a full fix should be released this afternoon, with a webcast to explain the implications and procedures.

According to security experts and Microsoft, admins should waste no time in applying the update with exploits already in the wild.

When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority

"When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble," said security firm Sophos in a blog post.

"Several websites have already been disseminating malware using this exploit, triggering it with a mixture of HTML, JavaScript and Flash.”

Microsoft had previously told admins to use the company's Enhanced Mitigation Experience Toolkit to help counter the threat, as well as to deploy "the Microsoft FixIt solution, MSHTML Shim Workaround to prevent the exploitation of this issue".

However, security experts said they had seen evidence that hackers were able to compromise this initial solution.

"There are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft's FixIt," said Sophos. "Metasploit, the vulnerabilities-anyone-can-exploit-for-free product, already has what it calls a browser auto pwn plug-in you can download to exploit this vulnerability yourself."