Microsoft to release official patch for latest IE zero day
The exploits, discovered in versions 6, 7, 8, and 9 of Internet Explorer, will have a “Fix It” tool released and promised that an update will arrive this Friday.
The vulnerability, which was discovered by security researcher Eric Romang as he was examining an unrelated Java zero day, has already attracted attention from Microsoft. Without a tailored patch available, the Redmond, Washington, company pointed its users toward its existing Enhanced Mitigation Experience Toolkit (EMET), which it says will prevent hackers from gaining illegitimate access.
German officials from the country’s Federal Office for Information Security are taking no chances, and have said that users should simply stop using Internet Explorer for the time being.
Microsoft stands by its recommendation of EMET, saying that it offers a “good set of additional migrations for Internet Explorer than thwart many of the attacks in the wild.” Its confidence comes from its analysis of samples in the wild that are attempting to exploit the zero day.
So far, it has only seen attacks on 32-bit versions of Internet Explorer and those that rely on third-party browser plug-ins.
“In the current situation, the chances of successful exploitation via the current attacks on Windows Vista and 7 strongly depend on the presence of these plug-ins on the targeted computers.”
Despite its confidence, the company also asked the public to let it know if there are any cases where EMET is not helping to mitigate attacks.
The company also released the Fix It tool that it previously promised, but with the caveat that the protection it provides only works if the latest security updates have been applied. It is similar to the update that it is promising will arrive on Friday.