Microsoft patch for zero-day exploit cracked

A zero day exploit in Internet Explorer, which Microsoft released a temporary fix for last week, has resurfaced as the fix itself has now been cracked.

The original vulnerability was discovered two weeks ago, and so far no permanent solution has been found. Microsoft's most recent 'Patch Tuesday' list of fixes failed to include a fix for this exploit.

Researchers at Exodus Intelligence, a security firm, said that they have found a way to beat Microsoft's 'Fix It' solution.

The exploit can potentially affect Internet Explorer versions 6,7 and 8. It was used recently to infect various political and manufacturing websites, including the Council on Foreign Relations in the US, and Chinese human rights site Uygur Haber Ajanski.

The attacks are widely considered to be state-sponsored, as the websites themselves are not the ultimate targets of the malware, but rather the visitors to those sites, who once infected by malware could be spied on by the malware authors.

Brandon Edwards, vice-president of intelligence at Exodus, explained that his team looked at the Fix It to determine exactly what it covered.

"Usually, there are multiple paths one can take to trigger or exploit a vulnerability," Edwards told security site Threatpost. "The Fix It did not prevent all those paths.

"It comes down to clearly understanding the root cause and ways the browser can get to the affected code," Edwards said. "The Fix It covered paths used by the exploit, but not all the ways the vulnerability can be reached. A full patch should eliminate all those possibilities."

Exodus has said that it will not release details of its exploit until Microsoft patches the vulnerability. However, if one set of researchers is able to crack Microsoft's fix, then malware authors may already have done so.