July 30, 2014

Microsoft to fix IE8 zero-day vulnerability today with out-of-band fix

security news at livehacking.com(LiveHacking.Com) –  Microsoft will release an update to Internet Explorer today to fix the zero-day vulnerability which was found at the end of last year. An exploit was found, in the wild, for a previously unknown (zero-day) vulnerability during the clean up of the Council on Foreign Relations (CFR) website, which had been compromised by hackers, probably from China. The exploit found used a heap spray attack against the zero-day vulnerability.

Microsoft issued  Security Advisory 2794220 which confirmed that the issue impacts Internet Explorer 6, 7, and 8. Internet Explorer 9 and 10 are not affected by this issue, so upgrading mitigates the problem, however neither IE 9 or IE 10 is available for Windows XP users.

A few days later, Microsoft published a Fix It as a temporary measure until the full patch is available. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. However once the Fix It was out, security information company Exodus Intelligence published details on how it had managed to bypass the shim and make IE vulnerable again. This placed greater pressure on Microsoft to issue an out-of-band fix, which it will now do today.

“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.  The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” said Dustin Childs, Group Manager of Microsoft’s Trustworthy Computing unit.

The patch will be made available for Windows XP, Vista and Windows 7 along with Windows Server 2003 and 2008. Microsoft will release the out-of-band security update at 10 a.m. PST on Monday, January 14, 2013.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks