Internet Explorer 11 Zero-Day Vulnerability Gets Unofficial Micropatch

An Internet Explorer 11 zero-day vulnerability used against security researchers, not yet fixed by Microsoft, today received a micropatch that prevents exploitation.

Last month, Google and Microsoft disclosed that the North Korean state-sponsored hacking group known as Lazarus was conducting social engineering attacks against security researchers.

As part of these attacks, the threat actors would contact security researchers via social media and ask if they wanted to collaborate on vulnerability and exploit research. Those interested were sent links to blog posts containing exploit kits, malicious Visual Studio projects, or MHTML files that would install a custom backdoor.

While investigating these attacks, though, the command and control servers were down, so it was impossible to see what exploits were used in these attacks.

Internet Explorer zero-day used in attacks

This month, South Korean cybersecurity firm ENKI disclosed that Lazarus targeted their security researchers with MHTML files in the same social engineering campaign.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

An MHT file, or MIME HTML, is a special file format used by Internet Explorer to store a web page and its resources in a single archive file.

When an MHT file is launched, Windows will automatically use Internet Explorer to open the file as it is configured as the default file handler.

ENKI states that their researchers were not infected and were able to analyze the payloads to discover an Internet Explorer 11 zero-day used in the attack.

Unofficial IE 11 micropatch released

At this time, Microsoft has not publicly acknowledged the Internet Explorer zero-day or assigned a CVE identifier to the vulnerability.

Furthermore, Mitja Kolsek, CEO of ACROS Security and co-founder of the 0patch micropatching service, has confirmed that the vulnerability has not been fixed during the February Patch Tuesday.

Today, 0Patch announced that they have begun to push out a micropatch for the Internet Explorer 11 vulnerability as it was actively used in attacks.

“Our approach to patching was to break an obscure browser functionality allowing an HTML Attribute value (normally a string) to be an object, which we assess to be useful to *very* few web developers whose apps are supposed to work with Internet Explorer.”

“Our micropatch gets applied inside the CAttribute::put_ie9_nodeValue function of mshtml.dll, where it checks the VARIANT type of the value that JavaScript code wants to assign to an attribute – and prevents that from happening if the type is 9 (object).” – 0patch

Until Microsoft comes up with an official patch, users can register an account at 0patch and install the agent to get access to this micropatch. The patch is free for personal non-profit/educational users.

Also Read: How To Make A PDPC Complaint: With Its Importance And Impact

The temporary fix from 0patch works for the following systems:

For Windows systems updated to Updated to January 2021 patches

• Windows 7 + ESU
• Server 2008 R2 + ESU
• Windows 10 v1809, v1909, v2004, v20H2
• Windows Server 2016, 2019

For Windows systems updated to January 2020 patches:

• Windows 7 w/o ESU
• Windows Server 2008 R2 w/o ESU

“Internet Explorer is inherently present in all large organizations (even if not as the primary browser), and a vulnerability like this can very efficiently be used in an external or internal attack to compromise users’ workstations. We’d certainly use it in a penetration test,” Kolsek told BleepingComputer.