Microsoft has released a workaround for a zero-day vulnerability in older versions of Internet Explorer.
Jerry Bryant, senior security communications manager at Microsoft, said that a workaround on security advisory 981374 has been released to cover the remote code execution vulnerability. Microsoft has confirmed that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, but that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.
Bryant also confirmed that exploit code has been made public for this issue. He said: “On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key.
“With [this] update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”
He also commented on speculation on the issuing of an out-of-band patch, claiming that ‘we are working hard to produce an update which is now in testing'.
He said: “This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications.
“We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.”
Security blogger Brian Krebs said: “Redmond is still working on an official update to plug this security hole, but in the meantime it has released another 'Fix It' tool that should allow Windows users to disable the vulnerability at issue. To use this tool, click the 'Fix It' icon under the “Enable this fix” heading here.
“Microsoft also has a ‘fix it' tool to help IE6 and IE7 users turn on a feature called data execution prevention (DEP), which can help Windows block certain types of common but harmful software exploits. To enable the DEP, click the ‘Fix It' icon under the heading ‘Enable Application Compatibility Database' here.”