Microsoft Releases Out-of-Band Patch for Internet Explorer

Microsoft on Monday released an out-of-band fix for a zero-day use-after free memory vulnerability in its Internet Explorer Web browser.

Security bulletin MS13-008 addresses an issuein Internet Explorer 6, 7 and 8 that could lead to a remote code execution attack if a user visits a specially created malicious Web site with the Microsoft browser.

The zero-day was discovered and first reported by security firm FireEye on Dec. 28. Called the "CFR Watering Hole Attack," the security company said that exploits that took advantage of a publically disclosed Internet Explorer vulnerability had already been spotted in the wild. Attack targets included the Council of Foreign Relations Web site and other human rights-related sites.

The company also reported that it had located a Web site that was used in the hosting a virus that took advantage of the vulnerability.

"We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability," the company said in a blog post. "We have chosen not to release the technical details of this exploit, as Microsoft is still investigating the vulnerability at this time."

In response, Microsoft released a temporary solution in the form of a Fix It workaround that made a change at runtime mshtml.dll. However, days after the workaround release, security firm Exodus Intelligence said that the zero-day could still be exploited even after the Fix It had been applied.

"After posting our analysis of the current 0day in Internet Explorer which was used in a 'watering hole' style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability," said the company in a blog post. "After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week."

Microsoft said that Monday's bulletin has resolved the issue and advises those that don't have automatic updating enabled to apply the security fix as soon as possible. Those that are running Internet Explorer 9 and 10 are not affected by the vulnerability or the fix.

About the Author

Chris Paoli is the site producer for and


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.