Microsoft admits zero-day bug in IE8, pledges patch
Security experts suspect Chinese hackers using flaw to target nuclear weapons researchers running Windows XP
Computerworld - Microsoft late Friday confirmed that a "zero-day," or unpatched, vulnerability exists in Internet Explorer 8 (IE8), the company's most popular browser.
According to multiple security firms, the vulnerability has been used in active exploits, including "watering hole"-style attacks against the U.S. Department of Labor and U.S. Department of Energy, targeting workers at the latter agency involved in nuclear weapons research.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem.
No timetable for a fix was provided. The next scheduled security update from Microsoft will ship Tuesday, May 14.
The watering hole attacks were first reported on Wednesday, when Fairfax, Va.-based Invincea and others said cyber criminals were exploiting an IE8 vulnerability Microsoft had patched in January. On Friday, however, Invincea retracted that, saying that the bug was an unknown vulnerability not yet patched by Microsoft.
"The exploit on the [Department of Labor] site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only, [via a] use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code," said Eddie Mitchell, a security engineer at Invincea, in a Friday blog post.
Invincea came to its conclusion after reproducing the attack on a Windows XP PC running a fully-patched copy of IE8, one that included the fix Microsoft issued nearly three months ago for CVE-2012-4792, the Common Vulnerabilities and Exposure database identifier for the flaw originally thought to be involved.
Also on Friday, FireEye claimed much the same, saying that it had also verified that IE8 on Windows 7 is vulnerable.
IE8 is the most widely-used of Microsoft's five supported browsers -- IE6 through IE10 -- accounting for an estimated 41% of all the Redmond, Wash. developer's browsers that went online in April.
Microsoft confirmed that all versions of IE8, including copies running on XP, Vista and Windows 7, are at risk.
When the news broke earlier in the week of the watering hole attacks -- so named because attack code is placed on websites frequented by the targeted users -- Invincea and other security companies said they were designed to infect government PCs with the Poison Ivy remote administration tool, or RAT.
Poison Ivy is a well-known piece of malware often used by information thieves to siphon confidential documents and other files from corporate and government networks.
Security companies pointed fingers at Chinese hackers, saying that the latest were similar to past attacks that had targeted the Council on Foreign Relations (CFR) and Chinese dissidents in 2012. The attacks designed to infect users who visited the CFR website late last year prompted Microsoft to issue an "out-of-band," or emergency, IE update on Jan. 14.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts