Microsoft has released a fix it update for the zero day vulnerability that affects Internet Explorer versions 6-8. All versions of Windows XP are potentially affected by the vulnerability as they cannot use any version of Internet Explorer later than version 8. As malicious code has been identified in the wild, it is suggested that all Windows XP systems apply the fix it provided by Microsoft. The fix it is available from – http://support.microsoft.com/kb/2794220
Note: According to http://nakedsecurity.sophos.com/2012/12/31/zero-day-vulnerability-in-internet-explorer-being-used-in-targeted-attacks-fixit-now-available/, Sophos already protects against several different pieces of malware that has been seen in this exploit.
Update Jan 14 1:30 pm.
On Monday, Microsoft issued an OUT-OF-BAND patch for the vulnerability that has been actively exploited in Internet Explorer versions 6-8 on the following workstation and server operating systems:
- Windows 7 (32 and 64 bit)
- Windows vista (32 and 64 bit)
- Windows XP (32 and 64 bit)
- Windows server 2008R2 (64 bit and Itanium)
- Windows server 2008 (32, 64 bit and Itanium)
- Windows server 2003 (32, 64 bit and Itanium)
The out of band patch can be downloaded from update.microsoft.com. The vulnerability is classified as CRITICAL for all workstation operating systems. For server operating systems, the vulnerability is classified as MODERATE. Additional details about the patch are available from the following URL: http://technet.microsoft.com/en-us/security/bulletin/ms13-008
Note: While the vulnerability could exist on workstation operating systems from Windows Vista and later, all those operating systems should have previously been updated to Internet Explorer version 9 via a Microsoft browser push effort that took place in March 2011.