08
May 13

A Stopgap Fix for the IE8 Zero-Day Flaw

facebooktwittergoogle_plusredditpinterestlinkedinmail

Microsoft has released an stopgap solution to help Internet Explorer 8 users blunt the threat from attacks against a zero-day flaw in the browser that is actively being exploited in the wild.

IEwarningMicrosoft is working on an official fix for the IE8 bug. In the meantime affected users should take advantage of the interim fix that the company released today. It is a one-click fix-it tool that does not require a system restart to take effect.

To do that, visit this link with IE8 and click the fix-it icon under the “Enable” heading. If you need to remove this workaround for any reason, just head back to that page and click the fix-it image beneath the “Disable” heading.

Tags: , , , , , ,

21 comments

  1. john senchak

    A true “A Stopgap Fix” is to use either Firefox or Google Chrome

  2. And again, like the last IE 8 zero day, I feel this is taking advantage of the large Windows XP market share, especially work place environments, who are probably trying to hold out until April 8, 2014 (XP End of Life, no more windows updates or support)

    Windows XP users can’t update their IE beyond IE 8, and work places usually frown upon using anything that isn’t pre installed. So, very large userbase stuck with IE 8 still.

    • Actually IE6 is preinstalled (at least for SP2 & SP3), IE7 and IE8 for XP are both upgrades.

      • Greg in Colorado

        In my workplace, the pre-installed (pre-imaged) “standard” machines were XP with IE-8 upgrades already completed. Maybe that’s the type of preinstallation Vee meant. Either way, I find too many things I can’t seem to accomplish with crummy ol’ IE-8. And now…they recently started upgrading us to W7-EntPro with IE-8…because it’s “more secure.”

        • Yeah. And then the Win7 examples that you and Stratocaster mention on top of that. Sort of like when places keep outdated Java around, because updating breaks something.

  3. Funny, a stopgap that Microsoft won’t give any technical details about. A shim that does what exactly? What about user impacts? Until Microsoft does the right thing, this is a black box, apply at your own risks.

    • Might be a black box, but I’ve applied the FixIt patch to all 3 of my XP machines without any issues arising (so far, at least), just to be on the safe/cautious side, even though I don’t use IE very much and try to avoid doing so (FF is my primary browser).

      Of course, a lot of XP users would have been more than willing to upgrade to Win7 (heck, even poor Vista) and ditch IE8 completely before now had M$ provided a reasonable and direct upgrade path, but noooooo — gotta force ‘em to get the updated OS as part of a new hardware purchase or by a convoluted and tedious process of wipe, replace and reinstall all of the applications and data on the user’s existing hard drive.

    • Hi Sly,

      I acknowledge your caution about this stopgap fix but it can easily be removed if you experience any issues with it. The uninstall link is available in the following blog post:

      http://blogs.technet.com/b/srd/archive/2013/05/08/microsoft-quot-fix-it-quot-available-to-mitigate-internet-explorer-8-vulnerability.aspx

      I hope this helps. Thank you.

      • Can't We All Just Get Along?

        N.B.: The Fix it workaround isn’t just “can easily be removed” but SHOULD BE REMOVED according to the blog post:

        “Applying this workaround will not interfere with the installation of the final security update that will address this issue. However, applying the workaround will have a small effect on the startup time of Internet Explorer. Therefore, after you apply the yet-to-be-released final security update, you should uninstall the Fix it workaround as it will no longer be needed.”

        Presumably, not adopting the Fix doesn’t affect the use of IE8 for Windows Updates — with the superior performance and security of Firefox and Chrome, that’s all I ever use IE8 on XP machines for anymore.

        • Hi Can’t We All Just Get Along?,

          ——————–
          N.B.: The Fix it workaround isn’t just “can easily be removed” but SHOULD BE REMOVED according to the blog post:
          ——————–

          You are totally correct. My apologies, I was simply trying to address Sly’s immediate concern and presumed that they would remove the Fix It after the final patch is made available. I should NOT have assumed this and should have mentioned your very valid point explicitly.

          Thanks for clearing up any confusion that I have caused. My apologies for causing this confusion in the first place.

          • Can't We All Just Get Along?

            No apology necessary, JimboC — that little word “should” is buried late and not at all highlighted in the blog post as it should be. Your rapid response post of the Technet info and link is much appreciated.

            And, I agree with you entirely about the final resolution. I can’t fathom why the final security update patch wouldn’t undo what the temporary Fix it workaround does… I mean, you install the patch via Windows Update and reboot your computer, and the patch can’t clean up what the Fix it modified?

            I’m no assembly language programmer, but c’mon, this operating system just continues to seem like one giant house of cards, and they’re still adding more cards! ;-)

  4. Thanks very much, Brian. I got a strange message when I tried to install the fix — it said the fix did not apply to my operating system or application version — Windows 7, 64-bit.

    • If you’re not running IE8, the patch isn’t required. If you are running IE8 with Win7 x64, it would have been applied but WHY should that older IE versions be installed at all?

      • Stratocaster

        Because that’s the machine image that corporate IT created: Win7, IE8. No doubt because there are corporate Web apps which die with IE9/10.

  5. Shortest Krebs article in recent memory.
    But, Thanks anyway!

  6. Typically FixIt’s can be automated. I’ve done in the past, and plan to start testing now. We’ve successfully deployed previous FixIt’s with Secunia CSI once we broke down the manual procedures.

  7. It’s time to move to Google Chrome.. or at least a current version of IE.

  8. It’s time to move to Google Chrome.. or at least a current version of IE.

  9. Stratocaster

    Bulletin 2 in this advance notice appears to address this issue: http://technet.microsoft.com/security/bulletin/ms13-may

  10. Phase 2 Energy Booster includes carbohydrate food to the hard to pin point a
    safe dose because it varies from person
    to person and tolerance. Low-Carb Plan: If you prefer the benefits
    of nausea, nervousness, jitters.