Microsoft rushes fix for Internet Explorer vulnerability

Share this article:

Microsoft on Monday is planning to distribute an emergency fix for an Internet Explorer (IE) vulnerability that is being used in targeted attacks.

The software giant announced Sunday that it would release a single "critical" patch for the issue, which affects all supported IE 6, 7 and 8, but not version 9. Microsoft previously issued a temporary workaround.

The flaw became known last month when it was used as part of a so-called "watering hole" attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape U.S. foreign policy.

The site was hijacked with malicious JavaScript to serve an Adobe Flash exploit, which in turn triggered a heap-spray attack, according to researchers at security firm FireEye. The malware was delivered to users whose operating system language was set to English, Chinese, Japanese, Korean or Russian.

Security firm Symantec has linked this exploit and others taking advantage of the IE bug to a string of recent espionage attacks spearheaded by a group of hackers dubbed the "Elderwood Project," possibly based in China.

Microsoft has acknowledged in an advisory that the vulnerability has been used in a limited number of targeted attacks. At least one other organization, Chatsworth, Calif.-based microturbine systems supplier Capstone Turbine Corp., had its website compromised to take advantage of the bug, security researcher Eric Romang has  in a blog post.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Popular Science served up Rig Exploit Kit on its website

The monthly science magazine served up malicious code to readers earlier this week and has remedied the issue.

Deloitte releases paper on vetting leaks, avoiding costly hoax

Deloitte releases paper on vetting leaks, avoiding costly ...

The research presents techniques for distinguishing legit data leaks from false claims.

Attack on White House systems breached unclassified networks

The White House experienced a sustained cyberattack on its systems that impacted its network for nearly two weeks.