Topic: Browser

Microsoft offers 'fix-it' workaround for IE zero-day

Summary: Microsoft has released a one-click "fix-it" workaround to help Web surfers block malware attacks against an unpatched Internet Explorer vulnerability.

By Ryan Naraine for Zero Day | March 15, 2010 -- 07:43 GMT (00:43 PDT)

Follow @ryanaraine

Microsoft has released a one-click "fix-it" workaround to help Web surfers block malware attacks against an unpatched vulnerability in its flagship Internet Explorer browser.

The workaround ffectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer.

The workaround, available here, comes on the heels of the public release of exploit code into the freely available Metasploit pen-testing framework.

Microsoft confirmed the availability of exploit code for the issue and again urged users to upgrade to Internet Explorer 8, which is not vulnerable to this issue.

The company urged IE users to test the Fix-It workaround thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

[ SEE: IE zero-day flaw leaks out; Exploit code published ]

Microsoft also confirmed it is considering an out-of-band emergency patch to correct the underlying flaw.

We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs.

Malicious hackers are already exploiting the vulnerability to launch targeted attacks. The earliest attacks include the use of a backdoor that allows complete access to a vulnerable machine.

The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes.

ALSO READ:

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

231 comments

Log in or register to join the discussion

Start a new, safe, computing experience with just 'one click'...

That's right Windows Folks.

Your are only 'one click' away from beginning a brand new adventure, filled with exciting new technology and everything you need to enjoy a 'safe', FREE computing experience.

So, if you have just reached your threshold level for tolerance of the daily 'yet another zero day Windows exploit' litany, then please let me encourage you to take that step.

Go ahead, click that link directly below and see a new world unfold before you:

((((((((((((( http://www.ubuntu.com )))))))))))))))

Ubuntu Linux 9.10, the safest operating system on the planet.

Dietrich T. Schmitz
GNU/Linux Advocate

DTS Linux Advocate
15 March, 2010 08:08

Reply Vote
- If they're going to upgrade operating systems it makes more sense...
  
  ...to upgrade to Windows 7 instead of some completely different operating system. All the security advantages without the loss of compatability.
  
  ye
  15 March, 2010 08:15
  
  Reply Vote
  - Is that software compatibility? Or driver compatibility?
    
    Sounds like you're fudging the fact that "Windows" is a [i]brand name[/i], and [i]not[/i] an operating system, to me. Different Windows [i]operating systems[/i] are [i]not[/i] necessarily mutually compatible.
    
    But there's noting stopping anyone downloading a "Live" Ubuntu or Fedora CD and trying it out first. The old "try before you buy" idea, except without the price tag at the end.
    
    Zogg
    15 March, 2010 08:31
    
    Reply Vote
    - LOL! What a stretch.
      
      [i]Sounds like you're fudging the fact that "Windows" is a brand name, and not an operating system, to me.[/i]
      
      Given this I don't see any point in addressing anything else you've written. You're desperate.
      
      ye
      15 March, 2010 08:37
      
      Reply Vote
      - No surprise there; I accept your surrender ;-)
        
        I'm not surprised you've chosen to run away; even [i]you[/i] must realize you patently untrue your prior claim is:
        
        [i]"All the security advantages without the loss of compatability(sic)."[/i]
        
        So there we have it: Ye claims [i]no[/i] loss of compatibility between WinXP and Win7.
        
        Zogg
        15 March, 2010 08:44
        
        Reply Vote
      - I'm happy to surrender to you...you're an accomplished idiot.
        
        Congratulations on your achievement.
        
        ye
        15 March, 2010 08:49
        
        Reply Vote
      - @Zogg: I can understand why you would consider the truth to be an ad hom.
        
        You have to in order to build a case.
        
        As for the title it materially didn't change. You're an idiot as your original post demonstrates.
        
        ye
        15 March, 2010 08:58
        
        Reply Vote
      - His point is valid Ye....
        
        ...sometimes your obsession with "Windows superiority" really is annoying.
        
        It's a well known fact that not all applications and drives will work with the next version of Windows.
        
        That said, if you have Windows Vista on your system and everything works, it's highly unlikely that you will suffer any compatibility issues migrating to Windows 7.
        
        On the other hand, migrating from XP to Windows 7 is more likely to have compatbility issues if you insist on keeping 10 year old hardware and 10 to 15 year old software packages.
        
        Lastly, your post here indicates that *you* are the desparate one because you CHOOSE to not see the point.
        
        PollyProteus
        15 March, 2010 09:49
        
        Reply Vote
      - That didn't happen to me
        
        I had two apps, one very important (Navision Financials) and one not so important (Plextor Video Capture) that refused to run in Vista. Both of them are running in Windows 7, both 32 and 64 bit Versions. I know, anecdotal...
        
        Linux is great, I use it daily, but it can be a real pain.
        
        Many updates break MythTV, which can involve a great deal of effort to un-break.
        
        HP ScanJet still will not work after half a dozen Linux people worked with me for days on it.
        
        Video at random boots up to some ungodly resolution, either 320x240 or sometimes so high that nothing is readable. SSH in, edit xorg.conf and restart X - Why ? The same box runs Windows 98, XP, Vista and 7 (removeable HD) - only happens with Linux.
        
        My personal "compatibility" rant is now done.
        
        Do I like Linux - you betcha
        Do I like Windows - you betcha
        
        dev-null
        15 March, 2010 10:12
        
        Reply Vote
      - Then tell HP to fix their drivers.
        
        The specs aren't available, you know, so it's not like Linus or someone can just whip up a working Linux version themselves.
        
        AzuMao
        15 March, 2010 10:46
        
        Reply Vote
      - I Only Use A Linux Distro Until It Breaks First Time
        
        You are more patient than me.
        
        The first time an important app goes south, or the video dies (as has happened to me) I format the hard disk. Had happened numerous times. Normally one of the many 100+ M updates send it awhirl.
        
        You get what you pay for, and as Linux xosts nothing, it _IS_ worth its price.
        
        PMC-CON
        15 March, 2010 16:22
        
        Reply Vote
      - Why are you on ZDNet again, PMC?
        
        It's brought to you by Linux (which is itself free), for free. So according to you it is worth 0 divided by 2.
        
        AzuMao
        15 March, 2010 17:30
        
        Reply Vote
      - Not to defend Ye; dont need to but...
        
        The point is he did not say there may be compatibility problems with 10 - 15 year old systems. If he had, no one would have challegened his assumption. Now, that is the point!
        
        eargasm
        15 March, 2010 13:07
        
        Reply Vote
      - This is implicit.
        
        [i]It's a well known fact that not all applications and drives will work with the next version of Windows.[/i]
        
        Man, have to spell every little detail out for the ABMers. Sad.
        
        ye
        15 March, 2010 14:44
        
        Reply Vote
      - Or more accurately, you overgeneralized and were called on it.
        
        And then your bruised ego made you childish.
        
        Next time, please just stick to the points being made instead.
        
        Zogg
        15 March, 2010 17:39
        
        Reply Vote
      - @Zogg : You're correct...It was a generalized statement hence...
        
        ...the implicit assumption I wasn't referring to 100% compatability. It's good to see you're making progress. Soon you'll be able to hold a rational discussion instead of making the stupid post you originally did.
        
        ye
        16 March, 2010 05:19
        
        Reply Vote
      - This is getting nowhere.
        
        Ye, in this thread you have either misrepresented or ignored almost everything that I have said in response to your initial and preposterous [b]over[/b] generalization on upgrading from WinXP to Win7:
        
        [i]"All the security advantages without the loss of compatability."[/i]
        
        You have followed this by purely "ad hominem" insults, and now finally you presume to patronise me about "rational discussion"? I think not.
        
        May this thread stand testament to your childish arrogance. I'm done with you.
        
        Zogg
        16 March, 2010 06:51
        
        Reply Vote
      - @Zogg:Only a desperate person insists on being pedantic.
        
        Again it was a general statement for which a [i]reasonable[/i] person understands there will be exceptions. Only a desperate person would insist on a literal interpretation because they have nothing else.
        
        As for ignoring what you said when you make statements such as:
        
        [i]Sounds like you're fudging the fact that "Windows" is a brand name, [b]and not an operating system, to me.[/b][/i]
        
        The fact you don't consider Windows to be an operating system shows just how irrational you are and there's no reason to take you seriously.
        
        ye
        16 March, 2010 07:05
        
        Reply Vote
      - Nice evasion.
        
        [b] [/b]
        
        AzuMao
        15 March, 2010 10:44
        
        Reply Vote
    - I got a free trial
      
      I got a free trial of Windows 7. I got to use it for months and at the end, I decided that it was worth it to me to upgrade.
      
      I tried Ubuntu and found that it was not suited to my needs, thank you. I use Debian when I need to run utilities on a corrupted hard drive and it works quite well for me.
      
      If you have nothing better to do than troll, go away and code up some stuff so that I can do everything that I need to do in Linux.
      
      The rest of us want to know what is going on with this exploit so that we know what to do when our phones start ringing.
      
      Personally, I use Firefox and the last bad virus that I had came off a floppy disk.
      
      Muttz
      15 March, 2010 10:29
      
      Reply Vote