Security News > 2021 > February > Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability

Vendor Ships Unofficial Patch for IE Zero-Day Vulnerability
2021-02-15 14:43

Slovenia-based cybersecurity research company ACROS Security last week announced the release of an unofficial micro-patch for a zero-day vulnerability in Microsoft Internet Explorer that North Korean hackers are believed to have exploited in a campaign targeting security researchers.

South Korean security vendor ENKI published a report on the IE zero-day in early February, claiming that North Korean hackers leveraged it to target its researchers with malicious MHTML files leading to drive-by downloads of malicious payloads.

Microsoft has confirmed receiving a report on the vulnerability through an "Incorrect channel," and said that it was committed to investigate the report and deliver a patch as soon as possible.

On Thursday, ACROS Security announced that an unofficial patch for the vulnerability is now available through its 0patch service.

To address the bug, the unofficial patch no longer allows for "An HTML Attribute value to be an object." With only 5 or 6 CPU instructions, the patch should fully prevent exploitation, ACROS Security says.

The first batch of patches is being delivered to Windows systems that run the January 2021 Patch Tuesday updates and to those last updated on January 2020.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/9lyt2v4x7RE/vendor-ships-unofficial-patch-ie-zero-day-vulnerability