Patch/Configuration Management, Vulnerability Management

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks


Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

In total, the software giant expects to deliver 10 patches on Tuesday, although only two are rated "critical." Both of those address IE issues, and experts believe one of them will remediate a zero-day vulnerability affecting version 8 of the popular web browser.

Microsoft disclosed the vulnerability last weekend after reports emerged of a "watering hole" attack going after a section of the U.S. Department of Labor website, with the intended targets apparently being those who conduct nuclear weapons research.

No fewer than nine other sites also were clandestinely seeded with an exploit that takes advantage of the vulnerability. Each of the affected sites are related to energy-related organizations, and researchers believe the malware campaign has been ongoing since mid-March.

Two days ago, Microsoft announced that it has made a Fix-It available to address "known attacks that leverage the vulnerability to execute code," according to a blog post from Dustin Childs, a company spokesman. No restart is required. 

Aside from the critical fixes, Redmond is planning "important" patches for Windows, Office, Server and Tools and the .NET Framework.

Coinciding with the security update, Adobe on Tuesday plans to release fresh versions of its Reader and Acrobat software to address "critical" vulnerabilities, according to an advisory.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.