Slovenia-based cybersecurity research company ACROS Security last week announced the release of an unofficial micro-patch for a zero-day vulnerability in Microsoft Internet Explorer (IE) that North Korean hackers are believed to have exploited in a campaign targeting security researchers.
South Korean security vendor ENKI published a report on the IE zero-day in early February, claiming that North Korean hackers leveraged it to target its researchers with malicious MHTML files leading to drive-by downloads of malicious payloads.
Microsoft has confirmed receiving a report on the vulnerability through an “incorrect channel,” and said that it was committed to investigate the report and deliver a patch as soon as possible.
However, a fix for this zero-day was not included in the security updates that Microsoft released last week as part of its February 2021 Patch Tuesday.
On Thursday, ACROS Security announced that an unofficial patch for the vulnerability is now available through its 0patch service.
“We have just issued the first batch of micropatches for the Internet Explorer HTML Attribute nodeValue Double Free 0day, which affects all Windows workstations and servers from (at least) Windows 7 and Server 2008 R2 to the very latest supported versions, even if fully updated,” the company announced.
The company said that for the release of this patch it worked together with ENKI, which shared their proof-of-concept to help with the development of a fix.
“The vulnerability is a double free, triggered by making Internet Explorer clear an HTML Attribute value twice,” ACROS Security revealed.
The exploit that ENKI discovered leads to the execution of arbitrary code inside Internet Explorer when the user visits a malicious website, and does not require additional user interaction.
IE’s usage is low, but the browser is still present on Windows computers and is set as the default application for opening MHT/MHTML files. Furthermore, the browser is used internally within a large number of organizations and can execute HTML content inside Windows applications, ACROS notes.
To address the bug, the unofficial patch no longer allows for “an HTML Attribute value (normally a string) to be an object.” With only 5 or 6 CPU instructions, the patch should fully prevent exploitation, ACROS Security says.
The first batch of patches is being delivered to Windows (32bit and 64bit) systems that run the January 2021 Patch Tuesday updates (Windows 7 + ESU, Windows 10, Server 2008 R2 + ESU, Server 2016, 2019) and to those last updated on January 2020 (namely Windows 7 and Server 2008 R2 without ESU).
A second batch of patches is set to arrive on systems that have the February 2021 set of official security updates installed.