Microsoft released a “Fix it” mitigation for the Internet Explorer 8 vulnerability first found on a sub-site of the U.S. Department of Labor.
This “Fix it” makes a “small change” to mshtml.dll whenever IE 8 loads. Microsoft said a full update to close the hole is currently in the testing process and will be available as soon as it confirms it is ready for all customers.
Microsoft also notes that EMET is a good workaround for attacks and the “public pentest framework” – presumably a reference to the Metasploit module which exploits the same hole.
The “pentest framework” version of the exploit attempts to target Vista and Windows 7 by making use of a DLL installed by Java 6 to bypass ASLR. The in-the-wild attacks do not do this; Microsoft observed limited attacks targeting IE 8 on Windows XP only, and these end up blocked by EMET’s EAF and anti-ROP mechanisms. The company does, though, still recommend the Fix It as “a stronger level of protection.”
Initial reports suggested the attack was using a known, and patched, vulnerability CVE-2012-4792. It became clear, however, the exploit used was not that one, but a different remote code execution vulnerability.
Microsoft issued an advisory for this vulnerability, CVE-2013-1347, which still only appears in Internet Explorer 8, while it continues its investigation.
The flaw is a use-after-free problem that corrupts memory in such a way as to allow arbitrary code to inject. A Metasploit module is now available that exploits the vulnerability, which means the technique is generally accessible, researchers said.