In mid-September, Microsoft rushed out a "Fix-it" patch for all versions of Internet Explorer. The patch was designed to close an exploit, CVE-2013-3893, that was previously discovered in all versions of Microsoft's web browser that was already being used by hackers. However, Microsoft has yet to issue a final patch to fix the IE security hole via its Automatic Update feature.
This week, a developer issued an exploit module for the IE flaw in the open-source Metasploit penetration testing tool. PCWorld reports that while this tool is normally used by security developers, hacker groups have also been known to use the software as the basis to create their own attacks. Jaime Blasco, the manager of the research team at security firm AlienVault, stated, “I’m sure if Metasploit includes this exploit we will see an increase on widespread exploitation."
While the "Fix-it" patch can close the issue in all versions of IE, it is a manual download and thus will not reach all users of the browser. Microsoft is scheduled to release some new automatic security patches on October 8th as part of its monthly "Patch Tuesday" cycle, but it's currently unknown if the IE patch will be included in the list of new updates.
Source: PCWorld | Image via Microsoft