Microsoft on Monday released a temporary one-click “Fix it” tool for old versions of Internet Explorer. Running it will prevent the recently-discovered vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the user’s ability to browse the Web. Unlike an actual patch for the browser, a reboot is not required.
Microsoft says it has “observed only a few attempts to exploit this issue” but it is still encouraging all users of its browser to apply the Fix it solution. As we reported on Saturday when the security hole was first discovered, IE9 and IE10 are not affected.
Microsoft also said it is still working on a security update to address the issue in question. It’s important to note that will be the permanent solution while today’s is just a temporary one – from the Fix it page:
The Fix it solution that is described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this Fix it solution as a workaround option for some scenarios.
In the meantime, Microsoft is monitoring the Web to see if the exploit starts being used more broadly; in that case the company will likely rush out a patch. If not, it will be released as soon as it’s fully tested, or on the next Patch Tuesday, which will be next month.
For those who didn’t see the news on the weekend, criminals started using the new IE security hole to breach Windows computers in targeted attacks. The IE zero-day flaw first came to light after report surfaced that the Council on Foreign Relations (CFR) had been hacked, and was hosting malicious content as early as December 21. Microsoft responded by issuing a security advisory, a rare occurrence for a Saturday.
Although this particular flaw is not present in the latest versions of IE, which is great to hear, it’s still bad news for Windows XP users and earlier since they cannot upgrade to more recent versions of Microsoft’s browser. At the time we learned of the issue, we recommended avoiding the use of IE8 or earlier by either upgrading to IE9/IE10, or simply using a different browser such as Google Chrome. Now IE users have a temporary fix they can deploy until Microsoft releases a patch.
Image credit: Nate Brelsford