Microsoft patch for zero-day exploit cracked

By Stuart Sumner
07 Jan 2013 View Comments
security risk management

A zero day exploit in Internet Explorer, which Microsoft released a temporary fix for last week, has resurfaced as the fix itself has now been cracked.

The original vulnerability was discovered two weeks ago, and so far no permanent solution has been found. Microsoft's most recent 'Patch Tuesday' list of fixes failed to include a fix for this exploit.

Further reading

Researchers at Exodus Intelligence, a security firm, said that they have found a way to beat Microsoft's 'Fix It' solution.

The exploit can potentially affect Internet Explorer versions 6,7 and 8. It was used recently to infect various political and manufacturing websites, including the Council on Foreign Relations in the US, and Chinese human rights site Uygur Haber Ajanski.

The attacks are widely considered to be state-sponsored, as the websites themselves are not the ultimate targets of the malware, but rather the visitors to those sites, who once infected by malware could be spied on by the malware authors.

Brandon Edwards, vice-president of intelligence at Exodus, explained that his team looked at the Fix It to determine exactly what it covered.

"Usually, there are multiple paths one can take to trigger or exploit a vulnerability," Edwards told security site Threatpost. "The Fix It did not prevent all those paths.

"It comes down to clearly understanding the root cause and ways the browser can get to the affected code," Edwards said. "The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities."

Exodus has said that it will not release details of its exploit until Microsoft patches the vulnerability. However, if one set of researchers is able to crack Microsoft's fix, then malware authors may already have done so.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

26 %
44 %
10 %
20 %