Microsoft Releases Out-of-Band Patch for Internet Explorer

Microsoft on Monday released an out-of-band fix for a zero-day use-after free memory vulnerability in its Internet Explorer Web browser.

Security bulletin MS13-008 addresses an issuein Internet Explorer 6, 7 and 8 that could lead to a remote code execution attack if a user visits a specially created malicious Web site with the Microsoft browser.

The zero-day was discovered and first reported by security firm FireEye on Dec. 28. Called the "CFR Watering Hole Attack," the security company said that exploits that took advantage of a publically disclosed Internet Explorer vulnerability had already been spotted in the wild. Attack targets included the Council of Foreign Relations Web site and other human rights-related sites.

The company also reported that it had located a Web site that was used in the hosting a virus that took advantage of the vulnerability.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," the company said in a blog post. "We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time."

In response, Microsoft released a temporary solution in the form of a Fix It workaround that made a change at runtime mshtml.dll. However, days after the workaround release, security firm Exodus Intelligence said that the zero-day could still be exploited even after the Fix It had been applied.

"After posting our analysis of the current 0day in Internet Explorer which was used in a 'watering hole' style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability," said the company in a blog post. "After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week."

Microsoft said that Monday's bulletin has resolved the issue and advises those that don't have automatic updating enabled to apply the security fix as soon as possible. Those that are running Internet Explorer 9 and 10 are not affected by the vulnerability or the fix.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.