IE 0day Update: Microsoft Releases a FixIt Patch

A few days ago, I posted an alert about a zero day Internet Explorer (IE) vulnerability that attackers were exploiting in the wild. By luring you to a web site containing malicious code, a remote attacker can exploit this flaw to execute code on your computer, with your privileges. To most Windows users, this means the attacker gains complete control of your computer.

Today, Microsoft released a FixIt workaround to temporarily mitigate this attack. If you use IE, I recommend you apply this FixIt immediately. It’s important to note, the FixIt doesn’t replace a full patch. Microsoft says they plan on releasing a more complete patch for this flaw on Friday. You’ll still want to apply that too, once it comes out. In the meantime, however, this FixIt offers the best protection to IE users.

For your convenience, I’ve included the original IE alert below. Be sure to check with Microsoft on Friday, for their full patch. Though I plan on alerting you when Microsoft posts their update, I will be on international flights on Friday, and may not be able to post the update till later. — Corey Nachreiner, CISSP (@SecAdept)

Yesterday, Microsoft released a critical security advisory warning customers of a serious new zero day vulnerability in Internet Explorer (IE), which attackers are exploiting in the wild.

According to a blog post, a security researcher named Eric Romang first discovered the zero day IE exploit as he was poking around a web server hijacked by the Nitro gang. Romang found four malicious files (.html x2, .swf, .exe) on the server, which acted together to infect his fully patched Windows XP machine.

Shortly after Romang’s release, Microsoft posted their security advisory confirming the previously undiscovered flaw in IE. The advisory warns that the flaw affects IE 7, 8, and 9, but not 10. Though Microsoft is still researching the issue, the vulnerability seems to be a “use after free” class of memory corruption vulnerability. In short, if an attacker can entice you to a web page containing maliciously crafted content, he could exploit this flaw to execute code on your machine, with your privileges. As usual, if you have local administrator privileges, the attacker would gain full control of your machine.

Zero day IE vulnerabilities are relatively rare, and very dangerous. Attackers are already exploiting this one in the wild, so it poses a significant risk. Furthermore, researchers have already added an exploit for this issue to the popular Metasploit framework, making it even easier for novices to leverage.

Unfortunately, Microsoft just learned of this flaw, so they haven’t had time to patch it yet. I suspect Microsoft may release an out-of-cycle patch for this flaw, but in the meantime here a few workarounds to help mitigate the issue:

  • Use IE 10 – IE 10 is not vulnerable to this issue. However, IE 10 is still only a preview build, and the latest versions only runs on Windows 8 and Server 2012. So this workaround may not help everyone.
  • Temporarily use a different web browser – I’m typically not one to recommend one web browser over another, as far as security is concerned. They all have had vulnerabilities. However, this is a fairly serious issue.  So you may want to consider temporarily using a different browser until Microsoft patches.
  • Install Microsoft EMETEMET is an optional Microsoft tool that adds additional memory protections to Windows. I described EMET in a previous episode of WatchGuard Security Week in Review. EMET is a fairly complex tool, so I only recommend it to more advanced administrators. Nonetheless, installing it could help protect your computer from many types of memory corruption flaws, including this one.
  • Configure Enhanced Security Configuration mode on Windows Servers – Windows Servers in Enhanced Security Configuration mode are not vulnerable to this attack.
  • Make sure your AV and IPS is up to date – While not all IPS and AV systems have signatures for all these attacks yet, they will in the coming days. In fact, if you use an XTM appliances with the IPS service, we can already detect and block the Metasploit variant of this attack. Whatever you use, be sure to keep your AV and IPS systems updating regularly, to get the latest protections.

I’ll continue to follow this issue as it evolves, and will post here as soon as Microsoft releases a patch.

As an aside, I apologize for the slight delay to this post. Unfortunately, I was on an international flight when this news first broke. — Corey Nachreiner, CISSP (@SecAdept)

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.


  1. IE 0day Update: Microsoft Releases a FixIt Patch « microreksa - September 21, 2012

    […] IE 0day Update: Microsoft Releases a FixIt Patch […]

  2. WatchGuard Security Week in Review: Episode 34 – IE 0day | WatchGuard Security Center - September 21, 2012

    […] Microsoft releases FixIt – WGSC […]

  3. WatchGuard Security Center - September 21, 2012

    […] you’ve read my two posts [ 1 / 2 ], and watched this week’s video, you already know all about the zero day vulnerability […]

  4. WatchGuard Security Week in Review: Episode 34 – IE 0day « microreksa - September 23, 2012

    […] Microsoft releases FixIt – WGSC […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 8,249 other followers

%d bloggers like this: