Patch Tuesday doesn’t bring a fix for the recently discovered Internet Explorer 8 security flaw, but Microsoft claims that it’s still working on it, so an official patch should be released anytime soon.
Even though a security company has revealed that it had managed to bypass Microsoft’s one-click “Fix it” solution for Internet Explorer 8 and older, the Redmond-based software firm says that users are fully protected if they deploy the patch.
“We’ve reviewed the information and are working on an update, which we will make available to all customers on IE6-8 as soon as it is ready for distribution,” said Dustin Childs, group manager, Microsoft Trustworthy Computing, according to ThreatPost.
“In the meantime, the current Fix it, mitigations and workarounds available in Security Advisory 2794220 fully protect against all known active attacks. We also continue to encourage customers to upgrade their browsers to IE9-10, which are not affected by this issue.”
While Internet Explorer 9 and Internet Explorer 10 are not affected by the issue, security vendors across the globe are confirming that more websites have been compromised in order to exploit the flaw.
“The whole point of the waterhole tactic is that they believe such sites, although usually not with high numbers of users, will have interesting visitors,” said Jindrich Kubec, Avast Virus Lab’s director of Threat Intelligence. “At least two of the sites use the same spyware binary with exactly same configuration. The rest look a bit different, but we haven’t investigated it thoroughly yet.”
Security firm Exodus announced last week that it had managed to bypass Microsoft’s “Fix it” tool and compromise a fully-patched system.
Details on this exploit are not provided for the time being, as Exodus has decided to let Microsoft address the vulnerability and only then release more information about the way it compromised the browser.