Last week, Slovenia-based cybersecurity testing firm ACROS Security announced the publication in Microsoft Internet Explorer (IE) of an unofficial micro-patch for a zero-day vulnerability that North Korean hackers are suspected to have exploited in a campaign targeting security researchers.
In early February, South Korean security provider ENKI released a paper on the zero-day IE, alleging that it was leveraged by North Korean hackers to attack its researchers with malicious MHTML files leading to malicious payload drive-by downloads.
Microsoft acknowledged that it received a vulnerability report from a “incorrect channel,” and said it was committed to reviewing the report and providing a fix as quickly as possible.
However, in the security fixes that Microsoft issued last week as part of its February 2021 Patch Tuesday, a fix for this zero-day was not included.
ACROS Security reported on Thursday that via its 0patch program, an unofficial patch for the vulnerability is now available.
We have just issued the first batch of micropatches for the Internet Explorer HTML Attribute nodeValue Double Free 0day, which affects all Windows workstations and servers from (at least) Windows 7 and Server 2008 R2 to the very latest supported versions, even if fully updated. pic.twitter.com/Ufx4YFgSBE
— 0patch (@0patch) February 11, 2021
“The company announced: “We have just released the first batch of micropatches for the Internet Explorer HTML attribute nodeValue Double Free 0day, which affects all Windows workstations and servers from (at least) Windows 7 and Server 2008 R2 to the most recent versions supported, even if completely modified.
The business said it partnered with ENKI for the release of this patch, which shared its proof-of-concept to assist with the development of a repair.
“The vulnerability is double-free, triggered by twice clearing the HTML attribute value of Internet Explorer,” ACROS Security revealed.
When the user visits a malicious website, the exploit that ENKI discovered leads to the execution of arbitrary code within Internet Explorer and does not require additional user interaction.
The use of IE is poor, but the browser is still present on Windows computers and is set as the default MHT/MHTML file opening program. In comparison, for a vast range of companies, the browser is used internally and can execute HTML content within Windows applications, states ACROS.
While Internet Explorer is not widely used for browsing web sites anymore, it is installed on every Windows computer and (a) opens MHT/MHTML files by default, (b) is being used internally in many large organizations, and (c) executes HTML content inside many Windows applications.
— 0patch (@0patch) February 11, 2021
“The unofficial fix no longer requires “an HTML Attribute value (normally a string) to be an entity” to resolve the issue. The patch can absolutely preclude manipulation with only 5 or 6 CPU instructions, ACROS Protection says.
Windows (32bit and 64bit) systems that run the January 2021 Patch Tuesday upgrades (Windows 7 + ESU, Windows 10, Server 2008 R2 + ESU, Server 2016, 2019) and those that were last upgraded in January 2020 will receive the first set of patches (namely Windows 7 and Server 2008 R2 without ESU).
A second round of updates is expected to appear on devices that have the official security upgrade set enabled in February 2021.
