Microsoft has released a Fix It tool to address a zero-day flaw in Internet Explorer (IE) that has been the target of a number of hacking attacks.
The Fix It tool provides a temporary solution for the situation while users wait for an emergency out-of-band patch Microsoft said will be made available Sept. 21. The flaw affects Internet Explorer versions 6, 7, 8 and 9, and can be exploited to remotely execute code. According to security vendor AlienVault, attackers have used the vulnerability to target defense and industrial companies.
“There have been an extremely limited number of attacks-the vast majority of Internet Explorer users have not been impacted,” Yunsun Wee, director, Microsoft Trustworthy Computing, said in a statement. “We are working on an easy-to-use, one-click fix that will be released in the next few days, but in the meantime, we recommend customers make sure their antivirus software is up-to-date.” Wee advised users to visit Microsoft’s Safety and Security Center for additional information.
The vulnerability arises from the way Internet Explorer accesses an object that has been deleted or has not been properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code while a user is working with Internet Explorer, Microsoft warned. Attackers can infect users, the company added, via a specially crafted Website designed to exploit the bug after convincing victims to view the site.
“If your systems are running IE, you are at risk, but don’t panic,” said Andrew Storms, director of security operations at nCircle. “The reality is, it’s just one more zero-day, and we’ve seen an awful lot of them come and go.”
“The bad news is that the bug affects all versions of IE [Internet Explorer] except IE10,” he added. “The Metasploit exploit requires the presence of Java on the target system. Systems without Java are safe against Metasploit-based exploits for now. This seems like a very a good time to re-evaluate how many of your systems really need to run Java.”
There are a number of mitigating factors for the vulnerability. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a restricted mode that limits the threat posed by the vulnerability. In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the Restricted sites zone, which reduces the risk in this case because it disables script and ActiveX controls.
While users wait for a patch, Microsoft advised that anyone worried about the attacks can take a number of actions to protect their computers, including deploying Microsoft’s Enhanced Mitigation Experience Toolkit and setting Internet and local Internet security zone settings to high to block ActiveX controls and Active Scripting in both zones. In addition, users can also configure IE to prompt them before running Active Scripting, or can disable it outright.
Editor’s Note: This story was updated to state that Microsoft had released the Fix It tool that it had promised to issue as a temporary solution to the Internet Explorer zero-day flaw.