Microsoft Will Patch IE Zero-Day on Friday; Fixit Available as Stopgap

Microsoft announced last night it would issue an out-of-band patch on Friday for a zero-day Internet Explorer vulnerability disclosed earlier this week. In the meantime, Microsoft made a FixIt available on Wednesday that would temporarily mitigate the threat posed by active exploits found in the wild.The out-of-band patch will be available by 1 p.m. ET on Friday, said Yunsun Wee, director of Trustworthy Computing for Microsoft.

Microsoft announced last night it would issue an out-of-band patch on Friday for a zero-day Internet Explorer vulnerability disclosed earlier this week. In the meantime, Microsoft made a FixIt available on Wednesday that would temporarily mitigate the threat posed by active exploits found in the wild.

The out-of-band patch will be available by 1 p.m. ET on Friday, said Yunsun Wee, director of Trustworthy Computing for Microsoft.

This has been a fluid story this week, starting with discovery of exploits for a previously unknown use-after-free memory corruption vulnerability in versions 6-9 of the browser. Soon thereafter, three more exploits were found and were tied to a hacker group in China known as Nitro, the same group responsible for exploits of two zero-day Java flaws disclosed three weeks ago.

“Earlier this week, an issue impacting Internet Explorer affected a small number of customers. The potential exists, however, that more customers could be affected,” Wee said in a post on the Microsoft Security Response Center blog.

Organizations concerned about prolonged exposure to the working exploits can take advantage of the FixIt solution. FixIt is an automated tool that diagnoses and repairs problems on endpoints. Microsoft said the patch will be part of a cumulative update for IE that will be released via Windows update and other distribution channels.

The vulnerability in question is similar to a buffer overflow flaw. The vulnerability occurs because of the way IE accesses objects in memory that have been deleted or not properly allocated. A successful exploit will allow an attacker to remotely execute code with the user’s privileges.

Security researcher and Metasploit contributor Eric Romang discovered the first exploit last weekend. Monitoring the infected servers, he found four files: an executable; two HTML files and a Flash movie. When a user lands on an infected webpage, the Flash movie loads and drops the PoisonIvy remote access Trojan as an executable on the victim’s machine. None of the files were picked up by antimalware protection. On Monday, an exploit module was built for Metasploit.

One day later, AlienVault Labs manager Jaime Blasco discovered three new exploits, one dropping the PlugX RAT. The new exploits targeted defense contractors in the U.S. and India.

Suggested articles

Another IE Exploit Targeting Defense Industry Discovered

Another malicious website has been discovered hosting an exploit for the zero-day vulnerability Internet Explorer patched by Microsoft last week. This site, like the other exploits discovered, targets the defense and space industries, and is dropping an unknown payload, according to Barracuda Labs.

Researcher Finds Three New Exploits Targeting Latest IE Zero-Day

A researcher at AlienVault has discovered three new servers delivering exploits targeting the latest zero-day vulnerability in Internet Explorer. Jamie Blasco, AlienVault Labs manager, said the one of the servers is delivering a new malware payload, and all of them appear to be targeting defense contractors in the United States and India.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.