The 0-day IE vulnerability discovered at the end of 2012 is not fully fixed by the Fix-it released by Microsoft last week, says security researcher: the Fix-it can be bypassed and the vulnerability still exploited.
Last week Microsoft published a Fix-it to protect vulnerable users of IE 6, 7 and 8. The Fix-it is designed to crash the browser before an exploit can be effected. But now Peter Vreugdenhil from Exodus Intelligence is reported to have found a way around the Fix-it. “After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” writes the company.
Exodus has not publicly disclosed details of its method, but has reported it to Microsoft. “
We are aware of this claim and have reached out to the group for more information," said Dustin Childs, group manager for Microsoft Trustworthy Computing, according to Computerworld. The problem with this Fix-it is that there are normally numerous routes to reach a vulnerability, and not all of them are covered. Wherever possible, users are advised to upgrade to IE 9 or 10, but this isn’t possible for XP users. Anyone who wants or needs greater security than a Fix-it should, says Chester Wisniewski from Sophos, “be using EMET, as it is far superior to the one-click 'fix it’.”
Read more:
http://www.infosecurity-magazine.co...er-still-vulnerable-despite-microsofts-fixit/
