Microsoft has released an emergency workaround for users of Internet Explorer, to protect against a “limited number” of targeted attacks being specifically directed at IE 8 and IE 9 – but which could potentially affect all versions of the web browser.
According to a blog post by Dustin Childs, a group manager for communications in Microsoft’s Trustworthy Computing group, the security hole can be exploited when users visit a boobytrapped webpage:
This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks.
Microsoft is trying to create a proper security update to protect against the flaw – but in the meantime, a temporary “Fix-It” tool, dubbed “”CVE-2013-3893 MSHTML Shim Workaround”, is available.
It’s worth underlining that unlike most fixes from Microsoft, this Fix-It tool will not be automatically rolled out to millions of users. If you want to protect your copy of Internet Explorer from having the flaw exploited, you need to download and run the tool.
And then, like the rest of the internet, you have to hope that Microsoft will roll out a proper and permanent reliable patch for the problem with appropriate haste.
My advice is that Windows users should run the Fix-It tool, especially if they use Internet Explorer to visit websites.
Details of further mitigations and workarounds are detailed in the Microsoft blog post and in an accompanying support advisory.
Thanks for the heads-up.
I do not use IE but is hooked to Windows so I'll fix it.