Microsoft admits zero-day bug in IE8, pledges patch
Security experts suspect Chinese hackers using flaw to target nuclear weapons researchers running Windows XP
Computerworld - Microsoft late Friday confirmed that a "zero-day," or unpatched, vulnerability exists in Internet Explorer 8 (IE8), the company's most popular browser.
According to multiple security firms, the vulnerability has been used in active exploits, including "watering hole"-style attacks against the U.S. Department of Labor and U.S. Department of Energy, targeting workers at the latter agency involved in nuclear weapons research.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem.
No timetable for a fix was provided. The next scheduled security update from Microsoft will ship Tuesday, May 14.
The watering hole attacks were first reported on Wednesday, when Fairfax, Va.-based Invincea and others said cyber criminals were exploiting an IE8 vulnerability Microsoft had patched in January. On Friday, however, Invincea retracted that, saying that the bug was an unknown vulnerability not yet patched by Microsoft.
"The exploit on the [Department of Labor] site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only, [via a] use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code," said Eddie Mitchell, a security engineer at Invincea, in a Friday blog post.
Invincea came to its conclusion after reproducing the attack on a Windows XP PC running a fully-patched copy of IE8, one that included the fix Microsoft issued nearly three months ago for CVE-2012-4792, the Common Vulnerabilities and Exposure database identifier for the flaw originally thought to be involved.
Also on Friday, FireEye claimed much the same, saying that it had also verified that IE8 on Windows 7 is vulnerable.
IE8 is the most widely-used of Microsoft's five supported browsers -- IE6 through IE10 -- accounting for an estimated 41% of all the Redmond, Wash. developer's browsers that went online in April.
Microsoft confirmed that all versions of IE8, including copies running on XP, Vista and Windows 7, are at risk.
When the news broke earlier in the week of the watering hole attacks -- so named because attack code is placed on websites frequented by the targeted users -- Invincea and other security companies said they were designed to infect government PCs with the Poison Ivy remote administration tool, or RAT.
Poison Ivy is a well-known piece of malware often used by information thieves to siphon confidential documents and other files from corporate and government networks.
Security companies pointed fingers at Chinese hackers, saying that the latest were similar to past attacks that had targeted the Council on Foreign Relations (CFR) and Chinese dissidents in 2012. The attacks designed to infect users who visited the CFR website late last year prompted Microsoft to issue an "out-of-band," or emergency, IE update on Jan. 14.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Infographic: Converged Infrastructure Benefits This Infographic quantifies the savings organizations are realizing from increased deployment speed, higher availability, and lower annual costs.
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Malware and Vulnerabilities White Papers | Webcasts