NEWS - January 07, 2013
by Carol~ - 1/7/13 4:36 AM
Researchers Bypass Microsoft Fix It for IE Zero Day
Expect amped up pressure aimed in Microsoft's direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.
Their new exploit beat a fully patched Windows system running IE 8, the same version of the browser exploited by malware used in watering hole attacks against a number of political and manufacturing websites, including the Council on Foreign Relations in the U.S., and Chinese human rights site Uygur Haber Ajanski.
IE 6 and 7 also hold the same use-after free memory vulnerability (CVE-2012-4792) but are currently not being exploited. Microsoft said the impact of the attacks is limited; IE 9 and 10 are not vulnerable, Microsoft said. Yesterday's Patch Tuesday advisory previewing next Tuesday's batch of security updates did not include an IE patch.
Researcher sidesteps Microsoft fix for IE zero-day
"FixIt" Patch for CVE-2012-4792 Bypassed
Microsoft's Internet Explorer Zero-Day Fix Broken 'With Ease'