Microsoft has released a temporary workaround for a zero-day flaw discovered in Internet Explorer 9 and 10 by FireEye Labs. It’s a Fix It solution and doesn’t replace any security updates. The final patch will be distributed on March 11 during the Patch Tuesday.
The affected versions of Internet Explorer don’t include v11 or earlier expect IE 9 and 10. Therefore, Microsoft is encouraging Windows 7 users to install Internet Explorer 11, and Windows 8 users to upgrade to Windows 8.1 (Windows 8.1 comes with IE11) to server the best protection.
The vulnerability had been discovered for the first time on the website of Veterans of Foreign Wars USA, in which a hacker injects a “drive-by download” when a user visits a compromised site with Internet Explorer 9 or Internet Explorer 10 with Flash Play plugin installed.
Microsoft has also published MSA 2934088 detailing the flaw and suggesting actions to avoid any major consequences. The description reads, “The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
The exploit is also able to circumvent ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) built-into Windows operating systems.
Microsoft recommends installing the Fix It solution (KB 2934088) only after once you have upgraded IE9 and 10, installing MS140-010 patches. The workaround replaces mshtml.dll file with a newer one, alternatively as aforementioned, install Internet Explorer 11 on Windows 7 and upgrade Windows 8 to Windows 8.1.