Microsoft has released an Internet Explorer "Fix it" to temporarily address a vulnerability that exists in all...
supported versions of its Web browser.
The IE Fix it, CVE-2013-3893 MSHTML Shim Workaround, according to a blog post by the Redmond, Wash.-based software giant, aims to prevent the active exploitation of a newly discovered remote code execution vulnerability while Microsoft works on a permanent resolution. Though all supported versions of Internet Explorer (IE) could be affected, Microsoft said reports indicated only versions 8 and 9 have been actively targeted.
In a blog post, Microsoft Security Response Center Engineer Neil Sikka explained that attackers are targeting a use-after-free vulnerability in the HTML rendering engine of IE. He noted that the attacks take advantage of a Microsoft Office DLL that was not compiled with Address Space Layout Randomization (ASLR) enabled.
Attackers can target this vulnerability via malicious webpages and possibly advertisements, but attackers still need to direct users to the malicious content via a Web link, email or IM. Attackers can potentially gain user rights via a successful exploit, though those rights could be limited based on the account settings of the current user.
Beyond applying the temporary fix, the company also advised that version 4.0 of its Enhanced Mitigation Experience Toolkit could help protect against the active exploits it has analyzed.