Researchers claim they have bypassed Microsoft’s Internet Explorer zero-day fix-it patch

Reading time icon 1 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

A malicious JavaScript was found exploiting a vulnerability in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, while Internet Explorer 9 and Internet Explorer 10 were not affected. The zero day flaw came to light after the Council on Foreign Relations website was hacked and was hosting the code as early as December 21st.

Microsoft issued a temporary Fix-it patch for the vulnerability but now researchers are claiming that they have bypassed the patch and were able to compromise a fully-patched system. “After posting our analysis of the current 0day in Internet Explorer which was used in a “watering hole” style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability. After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” the researchers stated.

The researchers have notified Microsoft with details of how they were able to bypass the patch and Microsoft is still working on releasing an official patch.

User forum

0 messages