Microsoft has released a Fix It tool to address an IE security flaw – a fresh “zero-day” weakness in Microsoft’s Internet Explorer (IE) browser that has been the target of a number of hacking attacks in recent days.
The Fix It tool (which can be downloaded here) provides a temporary solution for the situation while users wait for an emergency out-of-band patch which Microsoft says will be made available on friday 21 September. The flaw affects Internet Explorer versions 6, 7, 8 and 9, and can be exploited to remotely execute code. According to security vendor AlienVault, attackers have used the vulnerability to target defense and industrial companies.
The vulnerability arises from the way Internet Explorer accesses an object that has been deleted or has not been properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code while a user is working with Internet Explorer, Microsoft warned. Attackers can infect users, the company added, via a specially crafted Website designed to exploit the bug after convincing victims to view the site.
“If your systems are running IE, you are at risk, but don’t panic,” said Andrew Storms, director of security operations at nCircle. “The reality is, it’s just one more zero-day, and we’ve seen an awful lot of them come and go.”
“The bad news is that the bug affects all versions of IE [Internet Explorer] except IE10,” he added. “The Metasploit exploit requires the presence of Java on the target system. Systems without Java are safe against Metasploit-based exploits for now. This seems like a very a good time to re-evaluate how many of your systems really need to run Java.”
There are a number of mitigating factors for the vulnerability. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a restricted mode that limits the threat posed by the vulnerability. In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the Restricted sites zone, which reduces the risk in this case because it disables script and ActiveX controls.
Are You Plugged Into USB? Take our quiz.
While users wait for a patch, Microsoft advised that anyone worried about the attacks can take a number of actions to protect their computers, including deploying Microsoft’s Enhanced Mitigation Experience Toolkit and setting Internet and local Internet security zone settings to high to block ActiveX controls and Active Scripting in both zones. In addition, users can also configure IE to prompt them before running Active Scripting, or can disable it outright.
Editor’s Note: This story was updated to state that Microsoft had released the Fix It tool that it had promised to issue as a temporary solution to the Internet Explorer zero-day flaw.
CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation
Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…