Seems Microsoft’s fix is not much of a solution at all
Just days after Microsoft issued a workaround solution to stop attackers exploiting a zero-day vulnerability in Internet Explorer, researchers have shown how easy it is to get around the supposed fix.
Microsoft rushed out a Fix It tool this week to prevent hackers from exploiting a previously unknown memory corruption flaw in IE versions 6, 7 and 8, which hackers have used to carry out watering hole attacks. In this kind of attack, hackers add malicious code to webpages they know their targets frequent.
Undoing the Internet Explorer fix
But that fix has been circumvented by researchers at Exodus Intelligence, a vulnerability specialist formed by ex-employees of the Zero-Day Initiative. Aaron Portnoy, co-founder and vice-president of research at Exodus, told TechWeekEurope it took less than a day’s work to get around the fix and exploit the flaw.
“It was quite easy for our resident browser pwner, Peter Vreugdenhil,” Portnoy said. “It is quite urgent Microsoft patch this issue given the fact that it is being actively exploited, exploits are publicly available in Metasploit, and as we’ve discovered, their “Fix It” patch is broken.
“We’ll be withholding details until Microsoft releases an official patch. It’s likely that this variation might end up in Metasploit after we release details (although perhaps someone else will investigate the bypass independently now that we’ve mentioned it is possible).”
Exodus will be informing its customers on how it carried out the exploit, however.
Microsoft had not responded to a request for comment at the time of publication.
The tech giant announced it Patch Tuesday list of fixes today, which did not include cover for the Internet Explorer flaw.
The Internet Explorer zero-day was used to compromise US-based think-tank Council on Foreign Relations. Capstone Turbine, a US micro-turbine manufacturer, was also targeted.
Security firm Symantec believes the hackers exploiting the flaw have significant funding and are running a highly-sophisticated operation.
“In this particular case, use of a zero-day exploit suggests a high level of sophistication requiring access to resources and skills which would normally be outside most hackers’ capabilities,” it wrote in a blog post.
How well do you know Internet security? Try our quiz and find out!