According to a post on the company’s Security Research & Defense blog, the Fix it solution is meant to “reduce the attack surface of this vulnerability.” In other words, it is a temporary fix that will eventually be replaced by a proper security update when such an update is available.
“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” Microsoft warned in a security advisory. “In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
“On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26,” FireEye wrote in a blog post Friday.
“Through our Malware Protection Cloud, we can confirm that the website was compromised at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.”