September 19th, 2012, 21:19 PM
Microsoft to Release Fix It Tool to Fight IE Zero-Day
Microsoft said it plans to release a Fix It tool to address a zero-day flaw in Internet Explorer (IE) at the center of attacks.
The Fix It tool would provide a temporary solution while users wait for either an emergency out-of-band patch or an update on Patch Tuesday next month. The flaw affects Internet Explorer versions 6, 7, 8 and 9, and can be exploited to remotely execute code. According to security vendor AlienVault, attackers have used the vulnerability to target defense and industrial companies.
"There have been an extremely limited number of attacks—the vast majority of Internet Explorer users have not been impacted," Yunsun Wee, director, Microsoft Trustworthy Computing, said in a statement. "We are working on an easy-to-use, one-click fix that will be released in the next few days, but in the meantime we recommend customers make sure their antivirus software is up-to-date.” He advised users visit Microsoft’s Safety and Security Center for additional information.
The vulnerability arises from the way Internet Explorer accesses an object that has been deleted or has not been properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code while a user is working with Internet Explorer, Microsoft warned. Attackers can infect users, the company added, via a specially-crafted website designed to exploit the bug after convincing victims to view the site.
"If your systems are running IE, you are at risk, but don’t panic," said Andrew Storms, director of security operations at nCircle. "The reality is it’s just one more zero-day and we’ve seen an awful lot of them come and go."
"The bad news is that the bug affects all versions of IE except IE10," he added. "The Metasploit exploit requires the presence of Java on the target system. Systems without Java are safe against Metasploit-based exploits for now. This seems like a very a good time to re-evaluate how many of your systems really need to run Java."