Last week Microsoft published a Fix-it to protect vulnerable users of IE 6, 7 and 8. The Fix-it is designed to crash the browser before an exploit can be effected. But now Peter Vreugdenhil from Exodus Intelligence is reported to have found a way around the Fix-it. “After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” writes the company.
Exodus has not publicly disclosed details of its method, but has reported it to Microsoft. “We are aware of this claim and have reached out to the group for more information," said Dustin Childs, group manager for Microsoft Trustworthy Computing, according to Computerworld. The problem with this Fix-it is that there are normally numerous routes to reach a vulnerability, and not all of them are covered. Wherever possible, users are advised to upgrade to IE 9 or 10, but this isn’t possible for XP users. Anyone who wants or needs greater security than a Fix-it should, says Chester Wisniewski from Sophos, “be using EMET, as it is far superior to the one-click 'fix it’.”
Microsoft is working on a permanent fix for the flaw, but has not included one in tomorrow’s Patch Tuesday. It remains to be seen whether this latest news will spur the company into an out-of-band emergency update, or whether users will need to wait for the next scheduled update – or even the one after that.
FireEye discovered the vulnerability at the end of last year being exploited as a water hole attack via the website of the New York-based Council on Foreign Relations. It has since been linked to the Elderwood gang, “a China-based hacker coalition,” says the Shanghaiist, “that has previously targeted Google, Tibetan- and Uyghur-rights groups, Amnesty International, Taiwanese travel sites, and other pages seen to be ‘anti-China’.”
“It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hole attacks and we expect them to continue to do so in the New Year,” warns Symantec.