A malicious JavaScript was found exploiting a vulnerability in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, while Internet Explorer 9 and Internet Explorer 10 were not affected. The zero day flaw came to light after the Council on Foreign Relations website was hacked and was hosting the code as early as December 21st.
Microsoft issued a temporary Fix-it patch for the vulnerability but now researchers are claiming that they have bypassed the patch and were able to compromise a fully-patched system. “After posting our analysis of the current 0day in Internet Explorer which was used in a “watering hole” style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability. After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” the researchers stated.
The researchers have notified Microsoft with details of how they were able to bypass the patch and Microsoft is still working on releasing an official patch.
