[tweetmeme source=”franscomputerservices” only_single=false]Ryan Naraine at his ZDNet blog has an article about Microsoft’s ‘Fix-It’ workaround for the Zero Day Internet Explorer Exploit.
Microsoft did not fix this with the ‘Patch Tuesday’ updates despite the fact that it was being actively exploited! Thankfully, they have now provided a workaround that I highly recommend folks take advantage of, especially if you regularly use Internet Explorer, or even use Windows but use Firefox or another browsers as your default browser.
As Ryan Naraine notes,
The workaround [e]ffectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer.
The workaround, available here, comes on the heels of the public release of exploit code into the freely available Metasploit pen-testing framework.
The link goes to the Microsoft website for KB981374.
Microsoft, in that KB article, urges users to upgrade to Internet Explorer 8 because it is NOT vulnerable to this attack.
Of course those still running Windows 2000 will not be able to make use of that suggestion as they are stuck using IE6 and no recourse to fix this issue since it is ‘out of cycle’ now.
Windows 2000 users (or users of — God forbid! — earlier versions of Windows) should have upgraded, or should be actively taking steps to upgrade or replace their outdated operating systems ASAP.
The KB article has two sets of Fix-It buttons:
One to Disable/Enable peer factory in iepeers.dll
This disables peer factory in iepeers.dll” automatically to supported versions of Windows XP and Windows Server 2003 and the other to disable it.
The other set is to enable/disable DEP (Data Execution Prevention) automatically.
According to a Microsoft TechNet article, Microsoft is also considering an out-of-band emergency patch to Internet Explorer to correct the flaw.