According to Exodus Intelligence it is now possible to bypass the shim and compromise a fully-patched system. Due to the nature of its business, Exodus Intelligence has passed on the details about the bypass to its customers. Thankfully it has also notified Microsoft. The company promises to fully disclose the details of the bypass once Microsoft has fully addresses the issue.
“After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” said Exodus Intelligence on its blog.
Microsoft will release seven security bulletins today to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework. However a fix for the Internet Explorer vulnerability will not be among the patches.
Internet Explorer 9 and 10 are immune to the attack and upgrading to the later versions of IE will protect users (as will using a different browser like Firefox or Chrome), the problem is that XP users can’t upgrade IE beyond 8. Also Enterprise users may still be stuck on older versions of IE due to legacy application support. In combination this means that pressure is now mounting on Microsoft to make an out-of-band release for IE to fix the vulnerability.