Microsoft advises on IE zero-day vulnerability

The zero day exploit reported last week as affecting only Internet Explorer 10 also affects IE 9. Microsoft has released a "Fix it".

Microsoft has issued a security advisory for a vulnerability in Internet Explorer 9 and 10 being exploited in the wild.

We wrote last week  on the initial reports of exploits in the wild, as reported by security firm Fireeye. Fireeye and Symantec are both credited in the Microsoft advisory as having worked with Microsoft on the issue.

The vulnerability is a "use after free" remote code execution vulnerability. As in the case found by Fireeye, it can lead to a system being taken over if the user is lured to visit a web site in a vulnerable browser. The vulnerability does not, on its own, elevate privilege, so if the user is running unprivileged, the exploit will also be unprivileged.

Internet Explorer 9 is vulnerable according to Microsoft, although the actual exploits in the wild are only targeting Internet Explorer 10. Microsoft says that IE versions 6, 7, 8 and 11 are not vulnerable, so if you are on a platform which supports it, upgrading to IE 11 will address the issue.


Alternatively, Microsoft has issued a Fix it, which is a patch that blocks the actual exploits observed in the wild, but which doesn't fix the underlying vulnerability. If you need to keep running IE 9 or 10, installing the Fix it is a good idea. The Fix it requires that the user first install all the current security updates for IE 9 or 10. Another effective block against the attacks observed so far is to install the Microsoft Enhanced Mitigation Experience Toolkit (EMET), as the exploit checks to see if it is installed and exits if it is.

The table below shows which versions are vulnerable and which are under attack:

  Windows XP
Server 2003
Windows Vista
Server 2008
Windows 7
Server 2008 R2
Windows 8
Server 2012
Windows 8.1
Server 2012 R2
Internet Explorer 6 Not vulnerable n/a n/a n/a n/a
Internet Explorer 7 Not vulnerable Not vulnerable n/a n/a n/a
Internet Explorer 8 Not vulnerable Not vulnerable Not vulnerable n/a n/a
Internet Explorer 9 n/a Vulnerable,
not under attack
not under attack
n/a n/a
Internet Explorer 10 n/a n/a Under attack Under attack n/a
Internet Explorer 11 n/a n/a Not vulnerable n/a Not vulnerable

A Microsoft Security Research and Defense blog entry goes into gritty detail about how both the vulnerability and the Fix it work.

Boilerplate language in the advisory says that when Microsoft has completed their investigation they will take appropriate action, which may include an update on a regular Patch Tuesday or an out-of-band update.