Internet Explorer 11 zero-day vulnerability gets a free micropatch

Internet Explorer

An Internet Explorer 11 zero-day vulnerability used against security researchers, not yet fixed by Microsoft, today received a micropatch that prevents exploitation.

Last month, Google and Microsoft disclosed that the North Korean state-sponsored hacking group known as Lazarus was conducting social engineering attacks against security researchers.

As part of these attacks, the threat actors would contact security researchers via social media and ask if they wanted to collaborate on vulnerability and exploit research. Those interested were sent links to blog posts containing exploit kits, malicious Visual Studio projects, or MHTML files that would install a custom backdoor.

While investigating these attacks, though, the command and control servers were down, so it was impossible to see what exploits were used in these attacks.

Internet Explorer zero-day used in attacks

This month, South Korean cybersecurity firm ENKI disclosed that Lazarus targeted their security researchers with MHTML files in the same social engineering campaign.

Malicious MHTML file sent to researchers
Malicious MHTML file sent to researchers

An MHT file, or MIME HTML, is a special file format used by Internet Explorer to store a web page and its resources in a single archive file.

When an MHT file is launched, Windows will automatically use Internet Explorer to open the file as it is configured as the default file handler.

ENKI states that their researchers were not infected and were able to analyze the payloads to discover an Internet Explorer 11 zero-day used in the attack.

Free IE 11 micropatch released

At this time, Microsoft has not publicly acknowledged the Internet Explorer zero-day or assigned a CVE identifier to the vulnerability.

Furthermore, Mitja Kolsek, CEO of ACROS Security and co-founder of the 0patch micropatching service, has confirmed that the vulnerability has not been fixed during the February Patch Tuesday.

Today, 0Patch announced that they have begun to push out a micropatch for the Internet Explorer 11 vulnerability as it was actively used in attacks.

“Our approach to patching was to break an obscure browser functionality allowing an HTML Attribute value (normally a string) to be an object, which we assess to be…