News Stay informed about the latest enterprise technology news and product updates.

Microsoft offers temporary fix for Internet Explorer zero-day

Microsoft provides an Internet Explorer fix after confirming a vulnerability affecting all versions of the Web browser is being actively exploited.

Microsoft has released an Internet Explorer "Fix it" to temporarily address a vulnerability that exists in all supported versions of its Web browser.

The IE Fix it, CVE-2013-3893 MSHTML Shim Workaround, according to a blog post by the Redmond, Wash.-based software giant, aims to prevent the active exploitation of a newly discovered remote code execution vulnerability while Microsoft works on a permanent resolution. Though all supported versions of Internet Explorer (IE) could be affected, Microsoft said reports indicated only versions 8 and 9 have been actively targeted.

In a blog post, Microsoft Security Response Center Engineer Neil Sikka explained that attackers are targeting a use-after-free vulnerability in the HTML rendering engine of IE. He noted that the attacks take advantage of a Microsoft Office DLL that was not compiled with Address Space Layout Randomization (ASLR) enabled.

Attackers can target this vulnerability via malicious webpages and possibly advertisements, but attackers still need to direct users to the malicious content via a Web link, email or IM. Attackers can potentially gain user rights via a successful exploit, though those rights could be limited based on the account settings of the current user.

Beyond applying the temporary fix, the company also advised that version 4.0 of its Enhanced Mitigation Experience Toolkit could help protect against the active exploits it has analyzed.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.