Connect with us

Hi, what are you looking for?



Microsoft Releases Fix It Tool to Address IE 10 Attacks

Microsoft issued a fix-it tool to help users address a security vulnerability targeted in attacks against Internet Explorer 10.

Microsoft issued a fix-it tool to help users address a security vulnerability targeted in attacks against Internet Explorer 10.

The issue, which also affects Internet Explorer 9, can be exploited to remotely execute code if a user visits a malicious or compromised site. So far, the bug has been spotted being used in attacks against visitors to the Veterans of Foreign Wars website as well as attacks targeting people interested in GIFAS, the French aerospace industries association. 

According to Microsoft, the vulnerability exists in the way IE accesses an object in memory that has either been deleted or not properly allocated. The vulnerability can corrupt memory in a way that allows an attacker to execute arbitrary code, Microsoft explained in an advisory.

Neil Sikka of Microsoft Security Response Center Engineering blogged that the exploit uses JavaScript to trigger the use-after-free condition and then uses Flash to convert a write primitive into a read/write primitive that enables Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to be bypassed.

“The primitive conversion happens by redirecting a write based on a freed object’s data (which has now been reallocated by the attacker) to corrupt a size field inside a Flash object,” Sikka blogged. “The corrupted size field in the Flash object is used to read and write outside of the object’s boundary, allowing discovery of module addresses in Internet Explorer’s Address Space. We are not aware of any elevation of privilege or sandbox escape vulnerability being used to “break out” of the Internet Explorer Protected Mode sandbox. Therefore, even after the exploit gains code execution, it still needs a non-trivial element to result in a persistent compromise of the computer.”

The one-click Fix It tool addresses the known attack vectors. According to researchers at Seculert, there are at least two different groups using the exploits in attacks, with one being behind the attacks on the VFW site and the other related to GIFAS. This is contrary to earlier reports connecting the two campaigns.

“Our analysis reveals that a totally different malware than ZXShell, the culprit as identified by FireEye, was used and has the following capabilities: backdoor (Remote Access Tool), downloader, and information stealer,” blogged Seculert CTO Aviv Raff. “The malware drops 2 files: MediaCenter.exe – a copy of itself, and MicrosoftSecurityLogin.ocx, which is registered as an ActiveX – used by malware to steal information from browsing sessions. Once installed the malware communicates with a criminal command and control server (C&C). Seculert’s investigation has concluded that the C&C is hosted on the same server as the exploit, located in the United States. Moreover, typical red flags would remain unraised as the malware itself has a valid digital certificate. The certificate belongs to MICRO DIGITAL INC. and is valid since March 21, 2012.”

Advertisement. Scroll to continue reading.

According to Raff, the command and control server of the attack on the aerospace engineer manufacturer is located on the same US-based server as the IE exploit, while the other attack uses a different command and control server.

In addition to the Fix It tool, Microsoft also urged users to upgrade to IE 11, which is not vulnerable to the attacks. The company did not offer a timeline as to when a patch would be available. 

We continue to work on a security update to address this issue,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. “We are monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.