Microsoft releases "Fix It" for IE8 hole
Microsoft has released a "Fix it" mitigation for the Internet Explorer 8 vulnerability that was first discovered on a compromised sub-site of the US Department of Labor. The "Fix it" makes a "small change" to mshtml.dll whenever IE is loaded. Microsoft says that a full update to close the hole is currently being tested and will be made available as soon as it confirms it is ready for all customers. The company also reminds affected users that the advance notice of what will be in May's Patch Tuesday will be issued tomorrow.
Microsoft also notes that EMET is a good workaround for the in-the-wild attacks and the "public pentest framework" – presumably a reference to the Metasploit module which exploits the same hole. The "pentest framework" version of the exploit attempts to target Vista and Windows 7 by making use of a DLL installed by Java 6 to bypass ASLR. The in-the-wild attacks do not do this; Microsoft has observed limited attacks targeting IE8 on Windows XP only, and these are blocked by EMET's EAF and anti-ROP mechanisms. The company does, though, still recommend the Fix It as "a stronger level of protection".