Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects

2020-01-21 15:50

ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer.

Remote code execution vulnerability affecting IE. Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in "Limited targeted attacks".

"Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers," the company explained, and offered information on mitigations and a temporary workaround.

"This workaround has an expected negative side effect that if you're using a web application that employs legacy JScript, this application will no longer work in your browser," explained Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, a solution that aims to provide fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, legacy operating systems, vulnerable third-party components and customized software.

Since the February Patch Tuesday is quite a while away and since Windows 7 and Windows Server 2008 R2 users without Extended Security Updates might not get the patch at all, ACROS Security decided to provide a micropatch that simulates the offered workaround without its negative side effects.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/MnKY5MZUvZk/

#IE #zeroday