Feeds

Redmond slips out temporary emergency fix for IE 0-day

Remote code execution vuln

Securing Web Applications Made Simple and Scalable

Stepping outside its normal Patch Tuesday cycle, Microsoft has rolled out an emergency fix to an Internet Explorer bug that was under active malware attack.

This advisory provides access to “Fix it For Me”, with a more detailed outline of the CVE-2013-3893 vulnerability here. All versions of IE 6 to 10 are affected.

As Microsoft writes, the vulnerability “exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

The current temporary fix is designed to prevent exploitation of the bug, with a permanent fix presumably to follow. In this TechNet post, Microsoft's Dustin Childs writes that IE users should take further action:

  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones;
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.

Childs notes that both of these actions “may affect usability” and suggests adding trusted sites to the Internet Explorer Trusted zone.

Since the stopgap “Fix It” patch isn't being rolled out automatically, users have to take their courage in their own hands and download it themselves. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.