Zero day IE flaw exploited in targeted attacks. Microsoft releases temporary fix


Internet Explorer fixMicrosoft has released an emergency workaround for users of Internet Explorer, to protect against a “limited number” of targeted attacks being specifically directed at IE 8 and IE 9 - but which could potentially affect all versions of the web browser.

According to a blog post by Dustin Childs, a group manager for communications in Microsoft’s Trustworthy Computing group, the security hole can be exploited when users visit a boobytrapped webpage:

This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks.

Microsoft is trying to create a proper security update to protect against the flaw - but in the meantime, a temporary “Fix-It” tool, dubbed ““CVE-2013-3893 MSHTML Shim Workaround”, is available.

It’s worth underlining that unlike most fixes from Microsoft, this Fix-It tool will not be automatically rolled out to millions of users. If you want to protect your copy of Internet Explorer from having the flaw exploited, you need to download and run the tool.

And then, like the rest of the internet, you have to hope that Microsoft will roll out a proper and permanent reliable patch for the problem with appropriate haste.

My advice is that Windows users should run the Fix-It tool, especially if they use Internet Explorer to visit websites.

Details of further mitigations and workarounds are detailed in the Microsoft blog post and in an accompanying support advisory.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

One Response

  1. spryte

    September 17, 2013 at 10:28 pm #

    Thanks for the heads-up.

    I do not use IE but is hooked to Windows so I’ll fix it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.