Microsoft acts to plug watering hole attack
Microsoft has issued a workaround for a zero-day vulnerability in Internet Explorer that was exploited in an attack on the Council on Foreign Relations’ website, according to ThreatPost.
The vulnerability affects IE 6, 7 and 8 in some configurations (IE 9 and 10 are not affected), which Microsoft is addressing with a Fix-It workaround. A full patch could come with Microsoft's next scheduled Patch Tuesday distribution on Jan. 8, or the company could issue an out-of-band patch.
The vulnerabilities came to light after a nearly month-long watering hole attack against the CFR website that began perhaps as early as Dec. 7. However, “We are only aware of a very small number of targeted attacks at this time,” Microsoft said in releasing the Fix-It.
A Microsoft Security Advisory that defines the vulnerability noted that not all users of IE 6, 7 and 8 could be as risk. For instance, IE on Windows Server 2003, 2008 and 2008 R2 isn’t vulnerable, because those OSes run in a restricted mode known as Enhanced Security Configuration that mitigates the threat. Supported versions of Outlook, Outlook Express, and Windows Mail also open HTML e-mail in the restricted-sites zone, the company said.
Microsoft recommends setting Internet and local intranet security zones on high and adding trusted sites to IE’s trusted-sites zone. Microsoft also recommends administrators configure IE to prompt users before running Active Scripting or disable it altogether, ThreatPost said.
Threatpost described “watering hole attacks” as targeting topically connected websites that attackers believe are frequently visited by members of a particular organization.
Microsoft said exploits of this type of vulnerability typically spread through phishing e-mails that try to induce users to click on a link or attachment that takes them to an infected website.
Posted by David Hubler on Jan 02, 2013 at 9:39 AM