Despite IE exploit code in the wild, Microsoft won’t release emergency fix before this month’s Patch Tuesday

Despite IE exploit code in the wild, Microsoft won’t release emergency fix before this month’s ...

Microsoft today announced its plans to release eight security bulletins on this month’s Patch Tuesday, including a patch that will address a flaw in all supported versions of Internet Explorer that the company confirmed over two weeks ago. This means IE users will not be getting an emergency patch issued early, despite the fact that the security hole in question has already been exploited in the wild and that exploit code is publicly available.

The flaw in question is present in IE6, IE7, IE8, IE9, IE10, and IE11. At the time of disclosure, Microsoft confirmed reports that it was being exploited in a “limited number of targeted attacks” specifically directed at IE8 and IE9.

Earlier this week, a module for the Metasploit exploit framework was released. Metasploit is used by both security professionals and hackers alike, so the exploit code for this flaw is now very much publicly available and its use could soon no longer be limited to targeted attacks.

Nevertheless, it appears that Microsoft simply wants to stick to its standard schedule. The company always announces what patches are coming on the first Thursday of every month (in this case, today), and then releases them on the second Tuesday of every month (in this case, October 8). Clearly there’s some more testing needed for this latest IE patch before it can be released.

In the meantime, Microsoft offered the following workarounds and mitigations two weeks ago, and these are still your best bet while you wait:

  • Apply the Microsoft Fix it solution, “CVE-2013-3893 MSHTML Shim Workaround,” that prevents exploitation of this issue.
  • Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and local intranet security zones.

The first option can be enabled and disabled as needed. The second and third options will help prevent exploitation but can affect usability. As such, Microsoft recommends trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize problems.

Top Image Credit: ToddABishop

Read next: Android developers can now link Google Analytics with Google Play to see user acquisition and engagement for apps