Microsoft issues temporary fix for zero-day IE vulnerability

Share this article:

Microsoft has released a workaround for a zero-day vulnerability affecting versions 6, 7 and 8 of Internet Explorer.

The flaw became known when it was used as part of a so-called "watering hole" attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape U.S. foreign policy.

About two weeks ago, the site was hijacked with malicious JavaScript to serve an Adobe Flash exploit, which in turn triggered a heap-spray attack, according to researchers at security firm FireEye. The malware was delivered to users whose operating system language was set to English, Chinese, Japanese, Korean or Russian.

Microsoft on Saturday acknowledged in an advisory that the vulnerability has been used in a limited number of targeted attacks. At least one other organization, Chatsworth, Calif.-based microturbine systems supplier Capstone Turbine Corp., had its website compromised to take advantage of the bug, security researcher Eric Romang said Wednesday in a blog post.

On Monday, Microsoft released a Fix-It tool, which, if applied, "prevents the vulnerability from being used for code execution without affecting your ability to browse the web," Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing, wrote in a blog post. Users also can upgrade to IE 9 or 10, which are not affected by the issue.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

President signs Executive Order to improve payment security

President signs Executive Order to improve payment security

President Obama signed an Executive Order at the Consumer Financial Protection Bureau calling for enhanced security measures, including microchips and PINs.

Security, tech firm coalition fights Hikit actors, other advanced groups

Security, tech firm coalition fights Hikit actors, other ...

The coalition began as an effort to stop the spread of the Hikit trojan, previously known for targeting U.S. defense contractors.

Phishing email delivers keylogger malware, also takes screenshots

Phishing email delivers keylogger malware, also takes screenshots

The malware has various features, including the ability to start persistently, take screenshots and bypass user access controls.