Zero day IE flaw exploited in targeted attacks. Microsoft releases temporary fix

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Internet Explorer fixMicrosoft has released an emergency workaround for users of Internet Explorer, to protect against a “limited number” of targeted attacks being specifically directed at IE 8 and IE 9 – but which could potentially affect all versions of the web browser.

According to a blog post by Dustin Childs, a group manager for communications in Microsoft’s Trustworthy Computing group, the security hole can be exploited when users visit a boobytrapped webpage:

This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks.

Microsoft is trying to create a proper security update to protect against the flaw – but in the meantime, a temporary “Fix-It” tool, dubbed “”CVE-2013-3893 MSHTML Shim Workaround”, is available.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s worth underlining that unlike most fixes from Microsoft, this Fix-It tool will not be automatically rolled out to millions of users. If you want to protect your copy of Internet Explorer from having the flaw exploited, you need to download and run the tool.

And then, like the rest of the internet, you have to hope that Microsoft will roll out a proper and permanent reliable patch for the problem with appropriate haste.

My advice is that Windows users should run the Fix-It tool, especially if they use Internet Explorer to visit websites.

Details of further mitigations and workarounds are detailed in the Microsoft blog post and in an accompanying support advisory.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Zero day IE flaw exploited in targeted attacks. Microsoft releases temporary fix”

  1. spryte

    Thanks for the heads-up.

    I do not use IE but is hooked to Windows so I'll fix it.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.