Microsoft has released a fix that patches a critical zero-day vulnerability that was being actively exploited in the wild.
Multiple security firms warned that Internet Explorer 8 was used to launch "watering hole" attacks at government workers at the U.S. Department of Labor and the U.S. Department of Energy. In a security advisory issued on Friday, Microsoft said it was "investigating" the reports and that it was "aware of [the] attacks." It confirmed the flaw as a "remote code execution vulnerability" that allows hackers to inject malware into a webpage or a user's computer.
All Windows versions running IE8 were at risk, including Windows Server 2003, 2008 and R2 versions, though IE6, IE7, IE9 and IE10 were not.
Today's security patch comes in form of a "Fix It" response — a small one-click application that patches systems in one go — but users are warned to install the April cumulative security update first.
Microsoft explained: "At the moment, we are aware of a limited number of attacks in the wild and they target IE8 on Windows XP only."
However, FireEye confirmed that the exploit "could also work against IE8 on Windows 7" machines, and Microsoft listed Windows Vista, Windows 7, and its Windows Server products as "affected software."
The software giant explained how the fix works:
The vulnerability is exposed due to a page layout issue, triggered when Internet Explorer 8 is trying to calculate layout information for nodes no longer in the DOM tree. The issue is caused by layout structures that are not properly cleaned up and contain dangling pointers to page elements.
When the layout is updated, the browser crashes due to accessing the freed memory. The code that cleans up the dead links already exists, but it runs after the layout structures are accessed. The solution is to move the cleanup logic before the layout structure access.
Microsoft's Dustin Childs said in an emailed statement: "Customers should apply the Fix it or follow the workarounds listed in the advisory to help protect against the known attacks while we continue working on a security update.