Pulse

By GCN Staff

Blog archive
Crocodile attacks in a watering hole

Microsoft acts to plug watering hole attack

Microsoft has issued a workaround for a zero-day vulnerability in Internet Explorer that was exploited in an attack on the Council on Foreign Relations’ website, according to ThreatPost.

The vulnerability affects IE 6, 7 and 8 in some configurations (IE 9 and 10 are not affected), which Microsoft is addressing with a Fix-It workaround. A full patch could come with Microsoft's next scheduled Patch Tuesday distribution on Jan. 8, or the company could issue an out-of-band patch.

The vulnerabilities came to light after a nearly month-long watering hole attack against the CFR website that began perhaps as early as Dec. 7. However, “We are only aware of a very small number of targeted attacks at this time,” Microsoft said in releasing the Fix-It.

A Microsoft Security Advisory that defines the vulnerability noted that not all users of IE 6, 7 and 8 could be as risk. For instance, IE on Windows Server 2003, 2008 and 2008 R2 isn’t vulnerable, because those OSes run in a restricted mode known as Enhanced Security Configuration that mitigates the threat. Supported versions of Outlook, Outlook Express, and Windows Mail also open HTML e-mail in the restricted-sites zone, the company said.

Microsoft recommends setting Internet and local intranet security zones on high and adding trusted sites to IE’s trusted-sites zone. Microsoft also recommends administrators configure IE to prompt users before running Active Scripting or disable it altogether, ThreatPost said.

Threatpost described “watering hole attacks” as targeting topically connected websites that attackers believe are frequently visited by members of a particular organization.

Microsoft said exploits of this type of vulnerability typically spread through phishing e-mails that try to induce users to click on a link or attachment that takes them to an infected website.

Posted by David Hubler on Jan 02, 2013 at 9:39 AM


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.