Microsoft has released a “FixIt” workaround patch for the Internet Explorer vulnerability (in IE versions 6, 7, and 8) that I wrote about yesterday; the Security Advisory (2794220) has been updated to reflect this change. Microsoft has also released a Knowledge Base article that contains links to the installation programs to enable, or disable, the workaround. This is not a patch for the underlying vulnerability, but a sort of “quick fix” that prevents exploits from working.
If you are using the Windows system that requires the workaround, you can install it directly from the Knowledge Base page. Alternatively, you can save the file to disk, and then run it manually on one or more other systems. There is also a link to disable the workaround, in case it causes problems with your system.
Another mitigation step suggested in the Security Advisory is the use of a Microsoft utility, the rather Orwellian name of which is the Enhanced Mitigation Experience Toolkit (EMET). The EMET utility implements a variety of general-purpose protections against malicious software. It can be quite an effective tool, but it does involve some risk of incompatibility with particular applications. I strongly suggest that you test it carefully before installing it on critical systems. A general description and download links are in the Knowledge Base article (2458544) Enhanced Mitigation Experience Toolkit. For more detailed and technical information on EMET, a TechNet blog post describes the latest version (3.0).
Since an example exploit seems to have been posted on the Web, I think it is prudent to take this vulnerability seriously. If you have a vulnerable version of Internet Explorer, I suggest that you take one or more of these steps:
- Switch to a different browser (e.g., Firefox or Chrome) and avoid Internet Explorer
- Upgrade to Internet Explorer version 9 or 10 (not possible on Windows XP systems)
- Apply the FixIt workaround, and possibly the EMET if it’s workable in your environment.
On Thursday, January 3, Microsoft should be announcing the security bulletins it will release this month. I hope that a regular patch for this vulnerability can be ready in time to be included in that batch, which should be released Tuesday, January 8.