When The 'Fix It' Doesn't Fix It

The latest Microsoft Internet Explorer zero-day attack and response underscores a dilemma faced by enterprises today: whether to apply a temporary fix or hold out for the real patch of a newly exploited bug. Just days after Microsoft issued an emergency fix for the browser bug and urged affected users to install it, researchers have discovered a way to break it.

Exploit Intelligence researchers studying the vulnerability in Internet Explorer versions 6, 7, and 8 found that they could bypass the fix-it Microsoft issued last week in response to active "watering-hole" attacks exploiting IE 8. IE 9 and IE 10 don't include the bug, which some researchers say is a "use-after-free" vulnerability. Microsoft said the vulnerability allows for remote code execution, and issued the MSHTML Shim Workaround Fix It last week to address it.

"What we discovered is that Microsoft's patch did not account for all the ways in which this vulnerability can be exploited," says Aaron Portnoy, vice president of research for Exodus Intelligence. It took the researchers less than day of reverse-engineering to cheat the fix with an exploit they had written earlier.

[Microsoft last fall issued an interim fix-it tool to protect Internet Explorer browsers from a zero-day vulnerability that has spawned attacks by traditional cyberespionage players out of China. See Multiple Targeted IE Attacks Underway, Microsoft To Release Patch Tomorrow.]

So if the emergency fix is broken, does it make more sense to instead just wait for the promised patch from Microsoft?

Microsoft -- which isn't saying when the patch will be released -- is aware of Exodus' findings, but it is still recommending that users apply the fix. "Customer protection is a top priority for us. We are aware of this claim and have reached out to the group for more information, and continue to actively work on a security update to address this issue," says Dustin Childs, group manager, Microsoft Trustworthy Computing. "Additionally, we released Security Advisory 2794220 to provide customer awareness of the issue affecting Internet Explorer versions 6, 7, and 8, and we strongly encourage our customers to apply the mitigations and workarounds described in the advisory."

Exodus Intelligence's Portnoy concurs that the fix-it is still the best bet until there's a patch. "As of right now, we are unaware of anyone besides ourselves having developed an exploit to demonstrate such a circumvention, so we would encourage users to install the current fix from Microsoft as it is the only patch available that will prevent exploitation of any currently public attacks," he says.

Even Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a free tool that helps prevent exploitation, doesn't stop this attack, Portnoy says. His firm was able to bypass EMET, as well, in its exploit.

But deciding whether to apply a workaround fix in this case is not so black and white. "This seems like a bad fix," says Chris Wysopal, CTO at Veracode. "I would think that a high-risk organization would have the capability of ... going ahead and putting up the fix-it. But I don't think it's a good solution for Microsoft to be building software around [the bug] and people consuming software around it. You have to do all of this work, and it might not be fully fixed because it was rushed out so quickly."

In general, most consumers await Microsoft's auto-update to handle the patching for them, while enterprises have their own Patch Tuesday and out-of-band patching practices, he says. "Now you're asking them to do something else" by applying this temporary fix, Wysopal says. "And on top of that, it can be bypassed."

The obvious question, of course, is why not just upgrade to IE 9, which isn't vulnerable in this type of attack.

"This vulnerability does not affect IE 9, so the best option is to avoid using the vulnerable versions of IE -- 6 through 8," says Exodus Intelligence's Portnoy.

Veracode's Wysopal says an enterprise that has the infrastructure to roll out the fix-it should be upgrading to IE 9. "That's the real fix," he says.

Symantec, meanwhile, late last week confirmed that the IE 8 attacks came out of the so-called Elderwood Group, the infamous cyberespionage operation in China best known for the Aurora attacks that targeted Google, Intel, Adobe, and other major corporations.

This group of attackers has used more zero-day bugs in its attacks than any other, Symantec says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.