Bypassing Microsoft’s Internet Explorer 0day “Fix It” Patch for CVE-2012-4792

Update: After we reported our bypasses to Microsoft, they released the MS13-008 bulletin to patch CVE-2012-4792 officially.

After posting our analysis of the current 0day in Internet Explorer which was used in a “watering hole” style attack hosted on the Council for Foreign Relations website, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability. After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week.

We have included details on the bypass to customers of our intelligence feeds and will notify Microsoft of the issue. In practice with coordinated vulnerability disclosure, we intend to update this post with details when Microsoft has addressed the problematic patch.

For more information, keep an eye on this post or contact us to inquire about our offerings.