Microsoft releases Hotfix for Internet Explorer 8 security vulnerability
A security bug in Microsoft's Internet Explorer 8 web browser was confirmed by the company on Friday in a security advisory.
Reports of attacks began to appear two days earlier when security firm Invincea reported that attacks were carried out against the US Department of Labor and Department of Energy exploiting a new vulnerability in the Internet browser. Another security company, FireEye confirmed the report.
Update: The hotfix is no longer available as it is no longer needed. End
Microsoft's updated security advisory offers information about the type of vulnerability in Internet Explorer 8:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
Only Internet Explorer 8 is affected by the vulnerability. While that may not look like a big issue, considering that Microsoft released two newer versions of the web browser in recent time, it is quite problematic as it is the version that most Windows XP users have installed on their systems since Internet Explorer 9 and 10 are not available for the operating system. Windows Vista and Windows 7 users who have not updated the web browser yet, and systems running Windows Server 2003 to 2008 R2 may also be affected. Basically, if Internet Explorer 8 is installed on the system it is vulnerable.
Microsoft did release mitigating factors to protect systems running Internet Explorer 8 against the vulnerability. One of them suggested the use of the excellent Enhanced Mitigation Experience Toolkit which blocks popular exploits from being carried out on computer systems.
Yesterday evening, a hotfix was released that resolves the security vulnerability on affected systems. It is provided as a Fix-It that you can download and run to resolve the issue. Microsoft is making available two downloads, one to enable the fix, the other to restore the system and disable it again.
The program throws an error if Internet Explorer 8 is not installed on the system. It is recommended that the patch is applied immediately on all systems running Internet Explorer 8.
Microsoft needs a switch that turns that god damned browser off completely, no dll backends, no network connections, One Click, it’s off, one click it’s on.
I am sick of having to slide those sliders up hit save, open browser, hit default settings over and over and over and over. And then still the backend dll’s can access the web. iExplorer is a security pile of donkey nose puss. It wastes productivity time clicking the settings constantly. Scripting the settings is hit or miss unless your a freaking guru, I know, I tried. I can script windows power saver settings from the command line, but IE… no joy.
And what’s with updates that cripple fonts! Now I have to REFUSE that update to get WORK done.
Microsoft is a disaster, everything they are doing they need to do the OPPOSITE. Bring the Start Button back, get rid of “ecosystem mindset” apps.
I ain’t going to live in their ecosystem, it’s crap, you can’t get work done, and with all the spying, frankly I am ready to stop paying to be spied on. e.g. turn off my ISP, domains, website hosting, eBay, Paypall, Amazon. Forget it all, who needs it with this police state crap?
Microsoft has fixed yet security hole in IE10/Windows 8 hacked during Pwn2Own 2 months ago.
Thanks, Martin. It’s really appreciable — and appreciated — to have these latest security issues and fixes in real-time.
IE is not my default browser, but IE here is version 8, and life is so strange sometimes that one could catch the bad for a one-time exception … :)
Patched with hot-fix.