Related Links

Related Stories

Top 5 Stories


Internet Explorer still vulnerable despite Microsoft’s Fix-it

07 January 2013

The 0-day IE vulnerability discovered at the end of 2012 is not fully fixed by the Fix-it released by Microsoft last week, says security researcher: the Fix-it can be bypassed and the vulnerability still exploited.

Last week Microsoft published a Fix-it to protect vulnerable users of IE 6, 7 and 8. The Fix-it is designed to crash the browser before an exploit can be effected. But now Peter Vreugdenhil from Exodus Intelligence is reported to have found a way around the Fix-it. “After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” writes the company.

Exodus has not publicly disclosed details of its method, but has reported it to Microsoft. “We are aware of this claim and have reached out to the group for more information," said Dustin Childs, group manager for Microsoft Trustworthy Computing, according to Computerworld. The problem with this Fix-it is that there are normally numerous routes to reach a vulnerability, and not all of them are covered. Wherever possible, users are advised to upgrade to IE 9 or 10, but this isn’t possible for XP users. Anyone who wants or needs greater security than a Fix-it should, says Chester Wisniewski from Sophos, “be using EMET, as it is far superior to the one-click 'fix it’.”

Microsoft is working on a permanent fix for the flaw, but has not included one in tomorrow’s Patch Tuesday. It remains to be seen whether this latest news will spur the company into an out-of-band emergency update, or whether users will need to wait for the next scheduled update – or even the one after that.

FireEye discovered the vulnerability at the end of last year being exploited as a water hole attack via the website of the New York-based Council on Foreign Relations. It has since been linked to the Elderwood gang, “a China-based hacker coalition,” says the Shanghaiist, “that has previously targeted Google, Tibetan- and Uyghur-rights groups, Amnesty International, Taiwanese travel sites, and other pages seen to be ‘anti-China’.”

“It has become clear that the group behind the Elderwood Project continues to produce new zero-day vulnerabilities for use in watering hole attacks and we expect them to continue to do so in the New Year,” warns Symantec.

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×