A third-party patch for Microsoft’s Internet Explorer zero-day vulnerability

Don’t want to wait for Microsoft to fix the problem? Other security researchers come to the rescue.

A third-party patch for Microsoft's Internet Explorer zero-day vulnerability

The news that Windows users could potentially be at risk from an Internet Explorer vulnerability (even if they didn’t use Internet Explorer as their browser) was made all the more worrying by Microsoft’s seeming lack of urgency to produce a patch.

Maybe Microsoft will produce a fix in due course, but in the meantime the smartypants at ACROS Security say that they have developed a micropatch that can protect against the XML eXternal Entity (XXE) attack in boobytrapped .MHT files.

In a blog post, the researchers say that they have uncovered a mix of documented and undocumented security features that may have led to a confusion in Internet Explorer’s code, and resulted in the vulnerability.

Sign up to our free newsletter.
Security news, advice, and tips.

The third-party patch is free for personal and educational use, and covers Windows 10 version 1803 and Windows 10 version 1809.

Obviously it’s your choice whether you wish to trust a third-party patch for Microsoft’s code or not. You may prefer to simply uninstall Internet Explorer from your Windows PCs if you have no use for it anymore.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.