Microsoft has issued a critical security update fixing a serious zero-day vulnerability in Internet Explorer used in a series of attacks targeting the browser.
The update fixes a remote code execution vulnerability in Internet Explorer that has been the target of attacks since late December.
"We’ve seen only a limited number of attacks through an issue in Internet Explorer 6-8, but the potential exists that more customers could be affected," Microsoft said in a security advisory about the update in the Microsoft Security Response Center blog.
Microsoft issued its advisory following reports that attacks targeting the zero-day flaw had been detected. Researchers at Symantec have tied ongoing attacks to the Elderwood Project, a cybercriminal group believed to be behind the Google Aurora attacks in 2009.
Vulnerability management experts are advising enterprises to ensure that the last cumulative update to Internet Explorer was applied before deploying the latest patch. Users can also upgrade to IE 9 or 10, which are not affected by the flaw, said Wolfgang Kandek, CTO of vulnerability management vendor Qualys. Security capabilities and rendering engine differences protect users of IE 9 and 10, Kandek said.
"This is a two-step process for some organizations, because Microsoft likely wanted to speed up this update," Kandek said. "It's recommended to apply the latest cumulative update if you haven’t and then install the patch."
Attackers have set up watering hole-style attacks, using attack code to infect legitimate websites frequently visited by the targeted people. Once the victim visits the website, the attack code targets their vulnerable browser. People connected to the defense industry and their partners in the supply chain have been the common target of the group, believed to be based in China.
The attackers can bypass address space layout randomization (ASLR) and data execution prevention (DEP), two Microsoft security features designed to prevent malicious code execution in memory.
Microsoft issued its regular round of updates for its products Jan. 8, but it left out updates for Internet Explorer while its engineers tested the patch.
Kandek and other vulnerability management experts said they anticipated the emergency update because attacks had been so widespread. Proof-of-concept code was publicly available and a module was added to the Metasploit framework targeting the coding error.
PUBLISHED JAN. 14, 2013