News

Microsoft offers 'fix' for latest Internet Explorer zero day

Robert Richardson, Editorial Director

With a new module exploiting it already released for the Metasploit Framework, this week's Internet Explorer zero

Requires Free Membership to View

day vulnerability now has a provisional fix in place. Users of IE 8 (other versions aren't affected) can go to a Microsoft advisory page, click on a cheerful "Fix it" button and install a software shim that provides protection from attacks using the zero-day.

Another approach to mitigating this zero-day is to use Microsoft's Enhanced Mitigation Experience Toolkit (EMET). This free toolkit keeps watch over Windows processes and applies various mitigation techniques to find and react to attacks on memory corruption vulnerabilities. In a blog post, Qualys CTO Wolfgang Kandek said, "We ran EMET through its paces with the Metasploit module for CVE-2013-1347, and it indeed catches the exploit before it can install the RAT program." Since this is also by no means the first Internet Explorer zero day, using EMET as a general protection strategy seems wise.

The Microsoft advisory describing the vulnerability also pointed out additional factors mitigating attacks, including the default "restricted" mode used to run IE on Windows Server 2003, 2008 and 2008 R2. Another mitigating factor is that all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML-encoded messages in restricted mode.

Several security vendors reported that the U.S. Department of Labor website was hacked over the weekend in an attack that placed code to exploit the flaw within site visitors' browsers and then downloaded malware to their systems. A CrowdStrike blog entry on the attack notes, "Eight other compromised sites were also reported to be similarly compromised, with the data suggesting that this campaign began in mid-March."