Microsoft releases emergency fix for IE zero day

Microsoft has released a fix for the latest zero-day flaw in IE, but IT administrators must still be vigilant after patch is released, say experts

Microsoft has released a temporary fix for the latest zero-day vulnerability in its Internet Explorer (IE) web browser that is being exploited by attackers.

But security experts have warned that enterprise security administrators will have to be vigilant even after applying the full patch when it is released.

The software maker said the vulnerability, which affects IE versions 6 to 10, can lead to memory corruption, enabling an attacker to execute malicious code in the browser.

Microsoft said attackers could compromise legitimate websites or trick users into clicking malicious links in emails to exploit the vulnerability, and that attacks directed at IE8 and IE9 have been reported.

“In drive-by-download attacks, attackers need only to get a user to visit an attacker-controlled web page to compromise the browser, and then the operating system,” said Patrick Thomas, security consultant at security and risk consultancy Neohapsis.

“Drive-by-downloads are potent because, unlike phishing attacks, they require no user interaction beyond simply visiting a malicious URL,” he said.

Temporary security measures

In an advisory, Microsoft said the temporary fix was is not intended to be a replacement for any security update.

“We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios,” the advisory said.

Dustin Childs, group manager for incident response communications in Microsoft’s Trustworthy Computing group, said that until a security update is issued, IE users should apply the automated fix.

More on zero-day vulnerabilities and exploits

He also advised IE users to set internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

As a further interim measure, he said users should either configure IE to prompt before running Active Scripting, or disable Active Scripting in the Internet and Local Intranet Security zones.

However, Childs warned that these workarounds may affect usability, so trusted sites should be added to the IE Trusted Sites zone to minimise disruption.

Greater exposure to IE exploit likely

Thomas said enterprise IT security teams should also be aware that exploit kit writers actively reverse-engineer Microsoft patches.

“So while this exploit was initially constrained to a small group of targets, it will likely be included in various commercial exploit kits and in wide, general use within the next one to five weeks,” he said.

“Administrators should plan their responses accordingly. Even when a patch becomes available, it will take time to deploy through most organisations,” said Thomas.

Enterprise IT administrators should consider upgrade plans or increased patching priorities for all other software on their company network that does not use built-in protection such as address space layout randomisation (ASLR) and data execution prevention (DEP).

This latest IE exploit, said Thomas, targets a dynamic-link library (DLL) that did not get compiled with ASLR, which shows that attackers will always target the weakest point.

Read more on Hackers and cybercrime prevention