This article was published on January 4, 2013

Researchers bypass Microsoft’s temporary fix for IE6, IE7, and IE8 vulnerability; patch still MIA


Researchers bypass Microsoft’s temporary fix for IE6, IE7, and IE8 vulnerability; patch still MIA

Microsoft’s temporary one-click “Fix it” tool for a vulnerability in old versions of Internet Explorer doesn’t completely protect users. Exodus Intelligence security researchers on Friday said they have figured out how to bypass it.

The only good news is that the company has not released the code publicly, though it has given details to its customers. The security firm says it plans to notify Microsoft about the workaround, which it claims to have developed after less than a day of reverse engineering.

The news is rather terrible timing given that Microsoft just yesterday announced its usual advance notification for the upcoming Patch Tuesday next week, in which a security bulletin for this IE vulnerability was notably missing. For those who didn’t see the news on the weekend, criminals started using a new vulnerability in IE6, IE7, and IE8 to breach Windows computers as part of targeted attacks (IE9 and IE10 are not affected).

The IE zero-day flaw first came to light after security firm FireEye detailed that the Council on Foreign Relations (CFR) had been hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang detailed that microturbine systems producer Capstone Turbine was also a victim since at least December 18. Avast let us know that multiples sites around the world have since been targeted as well.

Microsoft responded by issuing a security advisory, a rare occurrence for a Saturday, and then followed up on Monday with a temporary one-click “Fix it” tool. Running it is supposed to prevent the vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the user’s ability to browse the Web. Unfortunately, this new information today suggests the “Fix it” tool is flawed.

Microsoft has been encouraging IE users to apply the temporary fix and said it would be providing a security update to address the issue in question. This new development could force Microsoft to release a patch before this Tuesday. Alternatively, Microsoft could update the temporary “Fix it” tool and release the security patch when it’s fully tested by February’s Patch Tuesday.

Either way, Microsoft has to do something since Windows XP users and earlier cannot upgrade to more recent versions of Microsoft’s browser. If you can’t install IE9 or IE10, we recommend using a different browser such as Google Chrome.

We have contacted Microsoft about this “Fix it” problem. We will update this article if we hear back.

Update at 4:55PM EST: “Customer protection is a top priority for us,” Dustin Childs, group manager of Microsoft Trustworthy Computing, said in a statement. “We are aware of this claim and have reached out to the group for more information.”

Image credit: channah

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with