Microsoft admits zero-day bug in IE8, pledges patch
Security experts suspect Chinese hackers using flaw to target nuclear weapons researchers running Windows XP
Computerworld - Microsoft late Friday confirmed that a "zero-day," or unpatched, vulnerability exists in Internet Explorer 8 (IE8), the company's most popular browser.
According to multiple security firms, the vulnerability has been used in active exploits, including "watering hole"-style attacks against the U.S. Department of Labor and U.S. Department of Energy, targeting workers at the latter agency involved in nuclear weapons research.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem.
No timetable for a fix was provided. The next scheduled security update from Microsoft will ship Tuesday, May 14.
The watering hole attacks were first reported on Wednesday, when Fairfax, Va.-based Invincea and others said cyber criminals were exploiting an IE8 vulnerability Microsoft had patched in January. On Friday, however, Invincea retracted that, saying that the bug was an unknown vulnerability not yet patched by Microsoft.
"The exploit on the [Department of Labor] site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only, [via a] use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code," said Eddie Mitchell, a security engineer at Invincea, in a Friday blog post.
Invincea came to its conclusion after reproducing the attack on a Windows XP PC running a fully-patched copy of IE8, one that included the fix Microsoft issued nearly three months ago for CVE-2012-4792, the Common Vulnerabilities and Exposure database identifier for the flaw originally thought to be involved.
Also on Friday, FireEye claimed much the same, saying that it had also verified that IE8 on Windows 7 is vulnerable.
IE8 is the most widely-used of Microsoft's five supported browsers -- IE6 through IE10 -- accounting for an estimated 41% of all the Redmond, Wash. developer's browsers that went online in April.
Microsoft confirmed that all versions of IE8, including copies running on XP, Vista and Windows 7, are at risk.
When the news broke earlier in the week of the watering hole attacks -- so named because attack code is placed on websites frequented by the targeted users -- Invincea and other security companies said they were designed to infect government PCs with the Poison Ivy remote administration tool, or RAT.
Poison Ivy is a well-known piece of malware often used by information thieves to siphon confidential documents and other files from corporate and government networks.
Security companies pointed fingers at Chinese hackers, saying that the latest were similar to past attacks that had targeted the Council on Foreign Relations (CFR) and Chinese dissidents in 2012. The attacks designed to infect users who visited the CFR website late last year prompted Microsoft to issue an "out-of-band," or emergency, IE update on Jan. 14.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts