SOFTWARE HOUSE Microsoft has knocked out an emergency security fix to address attacks targeting Internet Explorer (IE).
The patch arrives as a temporary workaround after the Redmond firm admitted in a security advisory on Tuesday that hackers exploited a zero day vulnerability in IE versions 8 and 9 on Windows XP and Windows 7.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution 'CVE-2013-3893 MSHTML Shim Workaround' prevents the exploitation of this issue," the company claimed.
The remote code execution vulnerability exists in the way IE accesses an object in memory that has been deleted or not properly allocated.
"The vulnerability may corrupt memory [allowing] an attacker to execute arbitrary code in the context of the current user within Internet Explorer," Microsoft said in the advisory. "An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
The exploit depends on a Microsoft Office DLL compiled without Address Space Layout Randomization (ASLR) to locate the right memory segment to attack.
Security company Qualys CTO Wolfgang Kendek advised that the DLL involved is "extremely common" and most likely will not lower the affected population by much.
"While the attack is very targeted and geographically limited to Japan, it might not affect you at the moment," Kandek said. "But with the publication of the shim, other attackers can now analyse the condition fixed and will be able to produce an equivalent exploit fairly quickly.
"Therefore we suggest applying the Fix-It as soon as possible if you use IE to access the Internet."
Microsoft said that after installing the fix, IE will have to be restarted to put it into effect. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted