Feeds

Microsoft scrambles to thwart new Internet Explorer 0-day attack

Patch Tuesday can't come soon enough

Internet Security Threat Report 2014

Microsoft has pushed out a temporary fix to defend against a zero-day vulnerability that surfaced in attacks launched last week.

The security flaw (CVE-2012-4792) - which affects IE 6, 7 and 8 but not the latest versions of Microsoft's web browser software - allows malware to be dropped onto Windows PCs running the vulnerable software, providing, of course, that users can be tricked into visiting booby-trapped websites.

Redmond has released a temporary Fix It (easy-to-apply workaround) pending the development of a more comprehensive patch.

The flaw was initially discovered by security tools firm FireEye on the Council on Foreign Relations website on 27 December.

The attack had been running for at least a week, and perhaps longer, before it was detected. Retrospective analysis by Sophos suggests the same exploit was used on at least five additional websites, suggesting assaults using the bug are far from limited.

"While the assaults appeared to be targeting a small number of sites, there is no obvious link between the victims," noted Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. "Some are referring to this as a 'watering hole' attack*, but the evidence we have doesn't necessarily support that conclusion."

Security watchers advise either applying Redmond's workarounds, upgrading to IE 9 or using an alternative browser - at least until a proper patch becomes available. The next patch Tuesday is coming up on 8 January. This doesn't give Microsoft much time but given the high-profile nature of the vulnerability it's likely that Redmond will release a patch sooner rather than later. ®

* Watering hole attacks have become a feature of cyber-espionage attacks over recent months. Instead of infecting the website of a military contractor or government agency directly, hackers compromise the website of a third party that is frequently visited by users who also visit the targeted organisation. This might be the website of a local sports team or a site with content relevant to the core business of the targeted organisation, for example.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.