A vulnerability, first announced by Microsoft on September 17, 2013, has been released to the public which may increase attacks that exploit that vulnerability significantly.
The vulnerability affects all versions of Microsoft Internet Explorer. Microsoft was aware of limited targeted attacks against Internet Explorer 8 and 9 when it released the security advisory but this situation may have changed in the meantime.
The remote code execution vulnerability may "corrupt memory in a way" that "could allow an attacker to execute arbitrary code" on the PC using the same privileges as the signed in user.
Our recommendation: Install the Fix It as soon as possible on your Windows PC, or configure Microsoft EMET so that it can mitigate the vulnerability. For details on how to do so, scroll down to the EMET configuration section of this article.
The Fix It
Microsoft has released a Fix It tool that patches the vulnerability on Windows PCs. This is a temporary solution as Microsoft is currently working on a patch that it will distribute via the company's Windows Update system to all users.
The main problem here is that the Fix It tool won't reach all Windows users, which means that the majority of Windows PCs will remain vulnerable to the attack until the patch is released via Windows Update by the company.
The Fix It itself requires no user interaction other than checking the license check box and clicking on next and close. The patch will be applied at once and the system is protected from the vulnerability from that moment on.
A Fix It to disable the protection is also provided on the same page.
Microsoft's excellent EMET program can mitigate the vulnerability as well. Microsoft has released specific configuration instructions for the software:
- Mandatory ASLR
- Enable MemProt
- Enable Caller
- Enable SimExecFlow
- Enable StackPivot
- Heap Spray
- Find the value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\iexplore.exe\ *\Internet Explorer\iexplore.exe
- Open HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\_settings_\VALUE_FROM_STEP_1\heap_pages
- Add 0x12121212 to the list
It is currently not clear if Microsoft will release the patch as part of its monthly Patch Tuesday routine, or if the company needs more time to develop and test a working patch.
The next batch of security updates for Windows will be made available on October 8, 2013 by Microsoft.