Microsoft issues out-of-band Internet Explorer patch

Powered by SC Magazine
 

Dangerous bug used in ongoing spy attacks.

Microsoft has distributed an emergency fix for an Internet Explorer (IE) vulnerability that is being used in targeted attacks.

The software giant released a single critical patch for the issue, which affects all supported IE 6, 7 and 8, but not version 9. Microsoft previously issued a temporary workaround.

The flaw became known last month when it was used as part of a watering hole attack against the website for the policy think tank Council on Foreign Relations, the influential membership group that helps shape US foreign policy.

The site was hijacked with malicious JavaScript to serve an Adobe Flash exploit, which in turn triggered a heap-spray attack, according to researchers at security firm FireEye.

The malware was delivered to users whose operating system language was set to English, Chinese, Japanese, Korean or Russian.

Security firm Symantec has linked this exploit and others taking advantage of the IE bug to a string of recent espionage attacks spearheaded by a group of hackers dubbed the "Elderwood Project," possibly based in China.

Microsoft has acknowledged in an advisory that the vulnerability has been used in a limited number of targeted attacks. At least one other organisation, microturbine systems supplier Capstone Turbine Corp., had its website compromised to take advantage of the bug, security researcher Eric Romang said in a blog post.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Microsoft issues out-of-band Internet Explorer patch
 
 
 
Top Stories
NBN Co names first 140 FTTN sites
National trial extended.
 
Cloud, big data propel bank CISOs into the boardroom
And this time, they are welcome.
 
Photos: A tour of CommBank's new innovation lab
Oculus Rift, Kinect and more.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Microsoft Office is now free for some charities
Oct 10, 2014
Microsoft has announced that eligible Australian non-profit organisations and charities can now ...
Vodafone lights up 4G in Adelaide
Oct 9, 2014
Live and work in Adelaide? Vodafone has switched on its 4G network in the city and suburbs.
Next year tradies will be able to take payments using ingogo
Oct 3, 2014
Ingogo is going to provide a card payment service for Xero users.
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  23%
 
End user computing (desktops, mobiles, apps)
  12%
 
Software development
  27%
TOTAL VOTES: 225

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  63%
 
No
  37%
TOTAL VOTES: 67

Vote