Microsoft Issues Temporary Patch For IE Zero-Day Threat; Permanent Patch Scheduled For Friday

By Ken Presti
September 19, 2012 8:10 PM ET

Microsoft has issued a temporary "fix-it" for its Internet Explorer vulnerability while a more permanent patch is expected to be released on Friday. Customers are urged to visit the Microsoft Security Response Center blog for additional details on the temporary fix.

The memory corruption vulnerability, which was acknowledged on Monday by Microsoft, impacts versions 7, 8 and 9 of Internet Explorer, although version 10, the most recent rev, appears to be unaffected at this point.

Versions nine through six "probably represents about 90% of the IE market, if not more," said Andrew Storms, director of security operations for nCircle. "IE 10 does not seem to be vulnerable to this. We're not sure why, but I suspect it's a case where it was already found and fixed."

Although the Microsoft statement indicated that the vulnerability does not impact the majority of its customers, the attack has been integrated into Metasploit and other white hat tools that are frequently used by black hat hackers, thereby making the exploit available to a far wider range of criminals.

According to Marc Maiffret, CTO at BeyondTrust, the attack currently being executed into the wild begins with a malicious website that determines which version of IE the host system is running. It then loads additional software to perform a heap spray and load an iframe. Protect.html is then loaded to trigger the vulnerability, at which point Poison Ivy is downloaded. A successful exploit leads to the ability to execute remote code.

"You essentially need to get a bunch of your attacker-supplied code loaded into memory on Internet Explorer," explained Maiffret. "You can do that through leveraging something like Flash, or in the case of the Metasploit attack, they're using Java. So it's interesting to note that if you don't have Java, you're not vulnerable to this as a Metasploit attack."

It is generally believed that the vulnerability is exploitable through means other than Java, however many security experts have recommended disabling Java as a means of strengthening their security posture.

PUBLISHED SEPT. 19, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows