A vulnerability affecting Internet Explorer – knowledge of which was first made public last month – has finally been released into the wild, leading to concerns that attacks based on the exploit may increase substantially.
Microsoft says that the vulnerability affects all versions of IE, including the most recent release, IE 11. The company noted in an advisory that it was aware of a small number of targeted attacks that had been carried out against IE 8 and IE 9 previously, but warns that the situation may have already changed.
The concern is that the release of a module for the Metasploit exploit framework will lead to a sharp increase in number of attackers capable of exploiting the flaw in IE. Ars Technica reports that the flaw allows hackers to plant exploits onto compromised websites that are then used to remotely execute code that installs malicious software onto PCs, which then goes onto steal sensitive data.
While the bug was already public knowledge and available to anyone who knows how to find it, only a handful of hackers have actually been able to exploit it, mostly targeting employees of Japanese manufacturing companies and government agencies, Ars Technica said.
Now that the vulnerability has been included in the open-source Metasploit, Microsoft believes that many more hackers may be able to identify it, hence the updated warning. The company did put out a temporary fix for its browser two weeks ago, but hasn’t said when it will be able to issue a permanent patch.
How to Patch IE Right Now
While we’re waiting for Microsoft to issue a permanent fix, the guys over at ghacks.net have offered a couple of temporary fixes to prevent anyone from exploiting the vulnerability and hacking into your machines. The easiest solution is to download the temporary Fix It tool that patches the vulnerability on Windows PCs. Ghacks notes that the patch is simple to download, and will install itself upon checking the licensing box and clicking on close. From there, the patch is immediately applied and your system will be protected against the vulnerability.
An alternative fix involves using Microsoft’s EMET program to mitigate the vulnerability. Ghacks provides the following instructions to configure it:
- Mandatory ASLR
- Enable MemProt
- Enable Caller
- Enable SimExecFlow
- Enable StackPivot
- Heap Spray
- Find the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\iexplore.exe\ *\Internet Explorer\iexplore.exe
- Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\_settings_\VALUE_FROM_STEP_1\heap_pages
- Add 0×12121212 to the list
Microsoft is due to release a security update as part of its Patch Tuesday routine on October 8, but its unclear if a permanent fix will be developed in time for that, so enterprise and anyone with secure data who’s using IE is advised to deploy one of the above fixes as soon as possible.