A third-party patch for Microsoft’s Internet Explorer zero-day vulnerability

The news that Windows users could potentially be at risk from an Internet Explorer vulnerability (even if they didn’t use Internet Explorer as their browser) was made all the more worrying by Microsoft’s seeming lack of urgency to produce a patch.

Maybe Microsoft will produce a fix in due course, but in the meantime the smartypants at ACROS Security say that they have developed a micropatch that can protect against the XML eXternal Entity (XXE) attack in boobytrapped .MHT files.

In a blog post, the researchers say that they have uncovered a mix of documented and undocumented security features that may have led to a confusion in Internet Explorer’s code, and resulted in the vulnerability.

Sign up to our newsletter
Security news, advice, and tips.

The third-party patch is free for personal and educational use, and covers Windows 10 version 1803 and Windows 10 version 1809.

Obviously it’s your choice whether you wish to trust a third-party patch for Microsoft’s code or not. You may prefer to simply uninstall Internet Explorer from your Windows PCs if you have no use for it anymore.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.