A security bug in Microsoft's Internet Explorer 8 web browser was confirmed by the company on Friday in a security advisory.
Reports of attacks began to appear two days earlier when security firm Invincea reported that attacks were carried out against the US Department of Labor and Department of Energy exploiting a new vulnerability in the Internet browser. Another security company, FireEye confirmed the report.
Update: The hotfix is no longer available as it is no longer needed. End
Microsoft's updated security advisory offers information about the type of vulnerability in Internet Explorer 8:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Only Internet Explorer 8 is affected by the vulnerability. While that may not look like a big issue, considering that Microsoft released two newer versions of the web browser in recent time, it is quite problematic as it is the version that most Windows XP users have installed on their systems since Internet Explorer 9 and 10 are not available for the operating system. Windows Vista and Windows 7 users who have not updated the web browser yet, and systems running Windows Server 2003 to 2008 R2 may also be affected. Basically, if Internet Explorer 8 is installed on the system it is vulnerable.
Microsoft did release mitigating factors to protect systems running Internet Explorer 8 against the vulnerability. One of them suggested the use of the excellent Enhanced Mitigation Experience Toolkit which blocks popular exploits from being carried out on computer systems.
Yesterday evening, a hotfix was released that resolves the security vulnerability on affected systems. It is provided as a Fix-It that you can download and run to resolve the issue. Microsoft is making available two downloads, one to enable the fix, the other to restore the system and disable it again.
The program throws an error if Internet Explorer 8 is not installed on the system. It is recommended that the patch is applied immediately on all systems running Internet Explorer 8.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.