Microsoft admits zero-day bug in IE8, pledges patch
Invincea was the most aggressive in its claims. After noting that the infected Department of Labor website listed "nuclear-related illnesses linked to Energy facilities and toxicity levels at each location that might have sickened employees developing atomic weapons," it concluded that the real targets were Department of Energy employees or officials who worked in nuclear weapons programs for the agency.
A zero-day vulnerability in IE8 raised the stakes for all users of that browser, said Mitchell of Invincea, not only government workers who had been targeted. "With this exploit being out in the wild, the potential risk for damage is high," he wrote in the Friday blog, and recommended that users switch to an alternate browser, such as Google's Chrome or Mozilla's Firefox, until Microsoft delivers a patch.
The flaw could be used by other hackers to construct "drive-by" attacks, those triggered as soon as an unpatched browser visits a compromised website, to infect large numbers of PCs.
Meanwhile, Microsoft urged users of Vista and Windows 7 to upgrade from IE8 to IE9 and IE10, respectively. People running Windows XP -- the apparent target of the watering hole attacks -- have no such option, as neither IE9 or IE10 run on the 12-year-old operating system. The newest versions of Chrome and Firefox, however, do support Windows XP.
Customers can also deploy the Enhanced Mitigation Experience Toolkit (EMET), to lock down IE8, making exploits more difficult for hackers. EMET 3.0 or the beta of EMET 4.0 can be downloaded from Microsoft's website.
While it's possible that Microsoft will craft a patch for the vulnerability in time to include it in the scheduled May 14 updates, it's more likely the company will issue a fix outside of that schedule, as it did in January. Then, Microsoft took 16 days from issuing an advisory to patching IE. If it followed the same timetable with the newest flaw, it would ship a fix after this month's Patch Tuesday.
Microsoft credited researchers at FireEye and iSIGHT Partners, a Dallas, Texas security firm, with reporting the IE8 zero-day. iSIGHT Partners, like Invincea, supplies government agencies with security software.
This article, Microsoft admits zero-day bug in IE8, pledges patch, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts