Microsoft Releases Out-of-Band Patch for Internet Explorer

Microsoft on Monday released an out-of-band fix for a zero-day use-after free memory vulnerability in its Internet Explorer Web browser.

Security bulletin MS13-008 addresses an issuein Internet Explorer 6, 7 and 8 that could lead to a remote code execution attack if a user visits a specially created malicious Web site with the Microsoft browser.

The zero-day was discovered and first reported by security firm FireEye on Dec. 28. Called the "CFR Watering Hole Attack," the security company said that exploits that took advantage of a publically disclosed Internet Explorer vulnerability had already been spotted in the wild. Attack targets included the Council of Foreign Relations Web site and other human rights-related sites.

The company also reported that it had located a Web site that was used in the hosting a virus that took advantage of the vulnerability.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," the company said in a blog post. "We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time."

In response, Microsoft released a temporary solution in the form of a Fix It workaround that made a change at runtime mshtml.dll. However, days after the workaround release, security firm Exodus Intelligence said that the zero-day could still be exploited even after the Fix It had been applied.

"After posting our analysis of the current 0day in Internet Explorer which was used in a 'watering hole' style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability," said the company in a blog post. "After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week."

Microsoft said that Monday's bulletin has resolved the issue and advises those that don't have automatic updating enabled to apply the security fix as soon as possible. Those that are running Internet Explorer 9 and 10 are not affected by the vulnerability or the fix.

About the Author

Chris Paoli is the site producer for and


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.