Patch in the Works for IE 0-Day

Microsoft is moving fast with the development of a security update designed to plug a zero-day hole that affects older versions of Internet Explorer such as IE6 and IE7. The Redmond company doesn’t offer users a patch yet, but it has made the next best thing available. Customers running IE6 and IE7 on top of Windows XP and Windows 2003 can now turn to an automatic fix offered via Microsoft Support, which is capable of bulletproofing their systems against potential attacks.

“We have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers. As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected,” Jerry Bryant, Sr. security communications manager lead, revealed.

In addition, Microsoft has also been updating Security Advisory 981374, a resource designed to centralize various pieces of information available on the Critical 0-day invalid pointer reference IE vulnerability. In this regard, customers can implement multiple mitigations detailed under the Suggested Actions section of the security advisory, helping them fend off eventual attacks. The latest workaround added to the advisory is set up to offer guidance to customers in order to mitigate the vulnerability by disabling the peer factory class. This is done through the modification of a registry key.

“We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs,” Bryant added.

Microsoft has confirmed that exploit code has already been published in the wild. With Proof of Concept code already available, it is now extremely easy for attackers to put together exploits targeting this vulnerability. Customers are advised to deploy workarounds as soon as possible in order to mitigate the problem, or to upgrade to Internet Explorer 8, as the latest version of the browser is not affected by the 0-day vulnerability.

Internet Explorer 8 (IE8) RTW is available for download here (for 32-bit and 64-bit flavors of Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008).