Microsoft to close critical IE hole with a temporary Fix-it
On its Security Response Center blog, Microsoft has announced that in the next few days it plans to release a temporary Fix-it tool to close the critical hole in its Internet Explorer web browser until a suitable patch becomes available.
According to Microsoft, "any Internet Explorer user can install" the tool, and installing it will not affect users' ability to browse the web – two important criteria that aren't met by the current recommended workarounds. Not everyone has access to the Enhanced Mitigation Experience Toolkit (EMET) exploit blocker tool to close the hole, and that tool is only available in English. Disabling ActiveX and Active Scripting, on the other hand, can restrict the functionality of many web sites and services.
In the blog post, Yunsun Wee, Trustworthy Computing Director at Microsoft, says that the company has only seen "a few attempts to exploit the issue", and that only "an extremely limited number of people" have been affected. However, the company neglects to mention that a module for the Metasploit attack framework; this allows almost anyone to exploit the vulnerability for their own ends.
Microsoft also continues to omit the simplest protection against attacks via the IE hole – to use an alternative browser such as Firefox or Google Chrome. The German Federal Office for Information Security (BSI) has recommended that users avoid IE until Microsoft has tackled the problem.
Users interested in a detailed analysis of the vulnerability can find more details on the flaw in a post on the Vulnhunt security blog. The problem involves a "use-after-free" hole in the CMshtmlEd::Exec() function that ultimately causes IE to execute malicious code when a specially crafted web page is visited.