Microsoft issued a temporary fix for Internet Explorer 8 following reports that a zero-day vulnerability was exploited in an attack targeting Department of Energy employees.
If the Microsoft "Shim Workaround" temporary patch is applied, it will prevent attackers from successfully exploiting the remote code execution vulnerability in the browser. A successful attack enables a cybercriminal to infect a victim's machine with additional malware and, if it is not detected, the malware could be used to steal account credentials, documents and other data.
"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer," Microsoft said in its advisory.
[Related: Top 10 Malware Threats To Microsoft PCs]
In late April, researchers at Milpitas, Calif.-based security firm FireEye detected a watering-hole-style attack set up on a Department of Labor Web page used by Department of Energy employees. The attack was designed to target the Internet Explorer zero-day vulnerability and check victims' systems for outdated software. Information was uploaded to a remote server where cybercriminals could access the information and upload further commands.
Microsoft said its engineers were still working on developing and testing a security patch and that it hasn't hasn't ruled out an out-of-cycle emergency security update to correct the flaw. The Redmond, Wash., software maker's next regularly scheduled update is May 14.
Researchers at U.K.-based security vendor Sophos said there is evidence that the Department of Labor attack may be more widespread. Server logs that were examined refer to other sites that had been driving traffic to it, said Graham Cluley, a senior technology consultant at Sophos.
"There is circumstantial evidence that the attack may have been used on some other websites as well," Cluley told CRN. "The team hasn't seen [the] exploit used on those sites, but there's evidence that they were somehow connected."
The attack highlights the longstanding problem of the complexity in detecting and fixing website vulnerabilities. Coding errors enable both financially motivated cybercriminals and state-sponsored attackers to set up drive-by attacks or watering-hole campaigns, experts say.
Cluley said the Microsoft temporary patch is helpful but won't likely be installed by a large number of users. Security teams at organizations that could be a target should be on top of the problem and be ensuring the fix is rolled out, Cluley said.
"What we really want is a proper patch, but the good news is that up-to-date antivirus software should be detecting the malware being spread by this method so far," Cluley said. "The bad news is that now that hackers are aware of this issue, it could become more widespread."
PUBLISHED MAY 9, 2013