Security firm: We have bypassed Microsoft's IE6-8 "Fix it" patch

Earlier this week, Microsoft released a "Fix it" patch for Internet Explorer 6, 7, and 8 that was designed to close an exploit that was already being used by hackers. Now a security firm has announced it has found a way to bypass the patch, which if discovered by hackers could keep that IE exploit open.

Exodus Intelligence's blog site claims that it took less than a day of work to find issues with the patch. It added, " .... we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week." The company says it plans to release its findings to Microsoft.

The "day zero" problem with IE6-8 was first discovered when hackers attacked the website of the Council on Foreign Relations last week and caused that site to host malicious content. The content was released as a heap spray attack conducted via Adobe Flash. As we have previously noted, this browser issue does not affect IE9 or IE10.

Microsoft announced on Thursday it would issue five security updates for various software products on Tuesday as part of its regular monthly patch event. However, those updates won't include anything for any versions of IE.

Source: Exodus Intelligence | Hacker image via Shutterstock
Via: The Next Web

Report a problem with article
Previous Story

Activision loses rights to James Bond game license

Next Story

Microsoft gently reminds us cheap Windows 8 upgrades end soon

18 Comments

Commenting is disabled on this article.

its obvious that MS would release a halfassed patch, afterall MS want corporates to migrate to newer windows.

Planned obsolescene, dude.
So please cough up more $$$, MS demands it.

Sheesh! Sure wish the people who keep saying MS should just quit supporting XP would drop over. If nothing else, they should be about tired of hearing themselves saying this, especially since there's still another year + of official support for it!

As was stated in this thread at least 3 times, company's can not afford to update just because MS feels like playing Linux and think they have to come out with a new OS every 2 years!!

So you bypassed a patch that wasn't even supposed to close the security hole in the first place, just mitigate its exploitation and render all existing exploits in the wild ineffective? Great job, security "experts"!

link6155 said,
Funny how people expect Microsoft to keep these old browsers alive

Quite frankly this is why they should adopt a (silent by default) rapid release/update model in future IEs. More or less force people to the newest version - no supporting defunct/insecure browsers, plus websites can move at the pace of the modern world and not 5-10 year old browsers.

HawkMan said,
IE10 does.

Allegedly lol. Has anybody actually seen this mechanism in action beyond the checkbox on the about screen?

link6155 said,
Funny how people expect Microsoft to keep these old browsers alive

The unfortunate thing that this isn't because of the typical end user/consumer that expects this. Its the corporate enterprise, whom many don't want to spend the money to upgrade their systems and/or re-write any internal applications (and test) to support newer browsers (my company included) and are still stuck on WinXP. Its being cheap and lazy.

TCLN Ryster said,

Allegedly lol. Has anybody actually seen this mechanism in action beyond the checkbox on the about screen?

IE11 hasn't be released yet, so... no.

link6155 said,
Funny how people expect Microsoft to keep these old browsers alive

Funny how you seem to have missed the software licensing agreement. What business would buy software that had support for only a year then you had to upgrade everything to get any security patches?

People still stuck on XP, especially in corporate environments have little other choice. Same with a lot of public institutions like libraries.

Javik said,
People still stuck on XP, especially in corporate environments have little other choice. Same with a lot of public institutions like libraries.

Usually used for a lot of their internal, old software, but why are users allowed to browse the internet. if they are allowed to browse then why not with a 3rd party browser.

Because in most cases, any browser other than IE is not centrally manageable in the same way that IE is with Group Policy.

How about applications/sites that do not properly work well and play nice with every version of IE. Even compatibility mode doesnt work as it should. Not to mention a lot of companies are still running older software, some in house, that will not run on anything higher than WinXP. So there are still a ton of IE7/IE8 users out there. Not all companies have time/money to update their software to support higher Windows versions. Especially with a new version of Windows coming every couple years or so. Not cheap/easy to keep up for everyone.