Pulse

By GCN Staff

Blog archive
Crocodile attacks in a watering hole

Microsoft acts to plug watering hole attack

Microsoft has issued a workaround for a zero-day vulnerability in Internet Explorer that was exploited in an attack on the Council on Foreign Relations’ website, according to ThreatPost.

The vulnerability affects IE 6, 7 and 8 in some configurations (IE 9 and 10 are not affected), which Microsoft is addressing with a Fix-It workaround. A full patch could come with Microsoft's next scheduled Patch Tuesday distribution on Jan. 8, or the company could issue an out-of-band patch.

The vulnerabilities came to light after a nearly month-long watering hole attack against the CFR website that began perhaps as early as Dec. 7. However, “We are only aware of a very small number of targeted attacks at this time,” Microsoft said in releasing the Fix-It.

A Microsoft Security Advisory that defines the vulnerability noted that not all users of IE 6, 7 and 8 could be as risk. For instance, IE on Windows Server 2003, 2008 and 2008 R2 isn’t vulnerable, because those OSes run in a restricted mode known as Enhanced Security Configuration that mitigates the threat. Supported versions of Outlook, Outlook Express, and Windows Mail also open HTML e-mail in the restricted-sites zone, the company said.

Microsoft recommends setting Internet and local intranet security zones on high and adding trusted sites to IE’s trusted-sites zone. Microsoft also recommends administrators configure IE to prompt users before running Active Scripting or disable it altogether, ThreatPost said.

Threatpost described “watering hole attacks” as targeting topically connected websites that attackers believe are frequently visited by members of a particular organization.

Microsoft said exploits of this type of vulnerability typically spread through phishing e-mails that try to induce users to click on a link or attachment that takes them to an infected website.

Posted by David Hubler on Jan 02, 2013 at 9:39 AM


Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.