As an official patch is yet to become available, Microsoft has released a temporary Fix-it tool to close a critical security hole in its Internet Explorer web browser. According to a blog post by Yunsun Wee, Trustworthy Computing Director at Microsoft, the company plans to distribute a cumulative update to address the vulnerability through Windows Update on Friday 21 September.
As the flaw is already being actively exploited by cyber criminals to infect computers with malware, all users that rely on Internet Explorer are advised not to wait for the patch to be released and to use the Fix-it solution to protect their systems as soon as possible. Alternatively, users can of course simply switch to an alternative web browser, as recommended by Germany’s Federal Office for Information Security (BSI) earlier this week. The problem affects versions 6 to 9 of Internet Explorer on all currently supported versions of Windows; IE 10, preinstalled under Microsoft’s upcoming Windows 8 operating system, is not affected.
The critical hole can be used to infect systems with malicious code when a victim visits a specially crafted web page. Code to exploit the vulnerability can be hidden almost anywhere: criminals often spread malware by, for example, compromising reputable web sites so that they infect visitors’ systems. In addition to professional criminals, almost anyone can now exploit the vulnerability for their own ends as a module for the Metasploit attack framework is already available.
The problem involves a “use-after-free” hole in the CMshtmlEd::Exec() function. In the current method of attack, a specially prepared web page executes a Flash applet that uses heap spraying to distribute shellcode in the system memory. It then reloads an iframe that uses the IE vulnerability to run the shellcode.