Skip to main content

Microsoft issues temporary solution for Internet Explorer zero-day flaw, promises patch this week

Microsoft has released a Fix it tool to temporarily fix the zero-day vulnerability in Internet Explorer, and promised to deliver an emergency patch on Friday.

A security researcher stumbled upon an attack code on a compromised server over the weekend targeting a zero-day vulnerability in Internet Explorer. The drive-by download attack was triggered by a use-after-free flaw which was present in all versions of Internet Explorer, except IE 10. Security researchers recommended users stop using IE entirely until the flaw was patched.

After investigating the flaw, Yunsun Wee, director of Microsoft Trustworthy Coputing said there had been an "extremely limited number of attacks." Wee promised a Fix it tool as a temporary measure while the team worked on a permanent fix. Microsoft also offered a few workarounds, such as disabling Active X controls and Active Scripting and changing the security zone to "high" to run the browser in restricted mode.

"While the vast majority of people are not impacted by this issue, today Microsoft provided a temporary fix that can be downloaded with one easy click and offers immediate protection. We will also provide a permanent solution for customers that will be automatically enabled on Friday, Sept. 21, 2012," Wee told SecurityWatch over email today.

The Fix it tool is an "easy-to-use, one-click, full-strength solution" users can install themselves, Wee wrote on the Microsoft Security Response Center blog on Tuesday. The tool is designed to "provide full protection against this issue until an update is available," Wee added.

Mitigating the Threat

"Applying the Microsoft Fix it solution, 'Prevent Memory Corruption via ExecCommand in Internet Explorer,' prevents the exploitation of this issue," Microsoft wrote in the Security Advisory. The Fix it tool is a "workaround option" and "is not intended to be a replacement for any security update," Microsoft said.

"IT admins concerned about the bug should check out this tool to see if it can help reduce security risk while we wait for the patch," Andrew Storms, director of security operations for network security firm nCircle, told SecurityWatch over email.

Microsoft also suggested deploying the Enhanced Mitigation Experience Toolkit (EMET). The utility prevents vulnerabilities from being exploited by applying in-box mitigations to affected software, in this case IE, Microsoft said. It's a little like wrapping IE inside a bubble; while the vulnerability is still there, attackers can't exploit it to take over the system.

"EMET in action is unobtrusive and should not affect customers' Web browsing experience," Wee said on Monday.

By default, Internet Explorer on Windows Server 2003, 2008 and 2008 R2 runs in restricted mode, which limits the threat. Microsoft Outlook, Outlook Express, and Windows Mail also open HTML email messages under the Restricted Sites zone, which means script and ActiveX controls are disabled.

Microsoft Responded Appropriately

Storms praised Microsoft in how the company handled the latest zero-day flaw. "In contrast with every other major software vendor, Microsoft has been communicating with users all week," Storms said. This is in stark contrast to his criticism of Oracle a few weeks ago when security vulnerabilities in Java was disclosed. Oracle's silence between when the flaws were disclosed and when the patch was released was a "complete security communication fail," Storms said at the time.

"Even if you think there are a lot of things Microsoft can improve, they are light years ahead of other vendors in providing clear, consistent, valuable communication to their users on security issues," Storms said.