Microsoft announced last night it would issue an out-of-band patch on Friday for a zero-day Internet Explorer vulnerability disclosed earlier this week. In the meantime, Microsoft made a FixIt available on Wednesday that would temporarily mitigate the threat posed by active exploits found in the wild.
The out-of-band patch will be available by 1 p.m. ET on Friday, said Yunsun Wee, director of Trustworthy Computing for Microsoft.
This has been a fluid story this week, starting with discovery of exploits for a previously unknown use-after-free memory corruption vulnerability in versions 6-9 of the browser. Soon thereafter, three more exploits were found and were tied to a hacker group in China known as Nitro, the same group responsible for exploits of two zero-day Java flaws disclosed three weeks ago.
“Earlier this week, an issue impacting Internet Explorer affected a small number of customers. The potential exists, however, that more customers could be affected,” Wee said in a post on the Microsoft Security Response Center blog.
Organizations concerned about prolonged exposure to the working exploits can take advantage of the FixIt solution. FixIt is an automated tool that diagnoses and repairs problems on endpoints. Microsoft said the patch will be part of a cumulative update for IE that will be released via Windows update and other distribution channels.
The vulnerability in question is similar to a buffer overflow flaw. The vulnerability occurs because of the way IE accesses objects in memory that have been deleted or not properly allocated. A successful exploit will allow an attacker to remotely execute code with the user’s privileges.
Security researcher and Metasploit contributor Eric Romang discovered the first exploit last weekend. Monitoring the infected servers, he found four files: an executable; two HTML files and a Flash movie. When a user lands on an infected webpage, the Flash movie loads and drops the PoisonIvy remote access Trojan as an executable on the victim’s machine. None of the files were picked up by antimalware protection. On Monday, an exploit module was built for Metasploit.
One day later, AlienVault Labs manager Jaime Blasco discovered three new exploits, one dropping the PlugX RAT. The new exploits targeted defense contractors in the U.S. and India.