IE Users Targeted In New Zero-Day Exploit

Microsoft is trying to resolve a zero-day exploit that enabled hackers to target Windows users, the company disclosed over the weekend. The loophole only concerns users of IE 6, 7 and 8, and was apparently used to target individuals who visited the Council on Foreign Relations’ website, which harbored the malware.

AlienVault security pro Jaime Blasco says that the malicious code taps into memory that should have been properly freed by IE, and uses it as a beach head to hijack the user’s PC. The malware also leverages Adobe Flash Player, but a second zero-day exploit has not yet been identified by experts.

AlienVault, said Blasco, had begun looking into the “watering hole” attacks stemming from the CFR website at the beginning of the week, and had alerted the Microsoft Security Response Center (MSRC) that it suspected IE harbored a zero-day vulnerability.

In a watering hole campaign, hackers identify their intended targets, even to the individual level, then scout out which websites they frequently visit. Attackers next compromise one or more of those sites, plant malware on them, and like a lion waits at a watering hole for unwary wildebeests, wait for unsuspecting users to surf there.

You can find a more full explanation in this blog post by Microsoft’s Jonathan Ness and Cristian Craioveanu. The piece provide all the technical details as well as a library that offers as temporary until Microsoft rolls out a more complete patch.

SiliconAngle analyst John Cassaretto believes Cybersecurity needs to become a much bigger priority in 2013, especially for the public sectors.  He shared his views on some of the progress that the government has made in this field and offered his predictions for 2013 in one of his most recent appearances on our morning NewsDesk program.  See Cassaretto’s full analysis here.

About Maria Deutscher

Maria Deutscher is a staff writer for SiliconANGLE covering all things enterprise and fresh. Her work takes her from the bowels of the corporate network up to the great free ranges of the open-source ecosystem and back on a daily basis, with the occasional pit stop in the world of end-users. She is especially passionate about cloud computing and data analytics, although she also has a soft spot for stories that diverge from the beaten track to provide a more unique perspective on the complexities of the industry.