Microsoft Releases Out-of-Band Patch for Internet Explorer

Microsoft on Monday released an out-of-band fix for a zero-day use-after free memory vulnerability in its Internet Explorer Web browser.

Security bulletin MS13-008 addresses an issuein Internet Explorer 6, 7 and 8 that could lead to a remote code execution attack if a user visits a specially created malicious Web site with the Microsoft browser.

The zero-day was discovered and first reported by security firm FireEye on Dec. 28. Called the "CFR Watering Hole Attack," the security company said that exploits that took advantage of a publically disclosed Internet Explorer vulnerability had already been spotted in the wild. Attack targets included the Council of Foreign Relations Web site and other human rights-related sites.

The company also reported that it had located a Web site that was used in the hosting a virus that took advantage of the vulnerability.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," the company said in a blog post. "We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time."

In response, Microsoft released a temporary solution in the form of a Fix It workaround that made a change at runtime mshtml.dll. However, days after the workaround release, security firm Exodus Intelligence said that the zero-day could still be exploited even after the Fix It had been applied.

"After posting our analysis of the current 0day in Internet Explorer which was used in a 'watering hole' style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability," said the company in a blog post. "After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week."

Microsoft said that Monday's bulletin has resolved the issue and advises those that don't have automatic updating enabled to apply the security fix as soon as possible. Those that are running Internet Explorer 9 and 10 are not affected by the vulnerability or the fix.

About the Author

Chris Paoli is the site producer for and


  • SameSite Cookie Changes Rolled Back Until Summer

    The Chromium Project announced on Friday that it's delaying enforcement of SameSite cookie changes, and is temporarily rolling back those changes, because of the COVID-19 turmoil.

  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.