Microsoft gets busy on fix for IE watering hole attack

Jan 01, 2013 by Nancy Owano report
Microsoft logo

(Phys.org)—Microsoft has published a security advisory about a vulnerability in Internet Explorer 6, 7, and 8. "We are only aware of a very small number of targeted attacks at this time," a Microsoft team blog said. The company acknowledged the vulnerability in its Microsoft Security Advisory (2794220) published on Saturday. Reports about the problem pointed to affected users who had visited the Council of Foreign Relations (CFR) website. According to network security company FireEye, "we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21."

CFR is described as a nonpartisan think tank focused on American foreign policy and international affairs. FireEye said the initial JavaScript hosting the exploit only served the exploit to browsers with an OS language as either U.S. English, Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

Microsoft described the nature of the vulnerability as a "remote code execution vulnerability that exists in the way that accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Outside Microsoft, security bloggers are referring to the attack on the CFR website as a "watering hole attack." In this type of activity, the attackers identify specific targets and scout out which sites they frequently visit. Attackers then plant malware on them. As Kaspersky Lab's Threatpost similarly explains, it is "where a website frequented by topically connected subjects is infected with hoping to snare those site visitors in drive-by attacks."

Symantec views the metaphor of a watering hole fitting, as "the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer."

Microsoft has responded with mitigations and workarounds. The company said the IE team is working on a security update but in the interim it recommended that IE8 customers block the current attacks by disabling Javascript, which will prevent the from being triggered initially, and disabling Flash, which will prevent ActionScript-based heap spray from preparing memory such that the freed object contains exploit code. Microsoft said also that "disabling the ms-help protocol handler and ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain." Microsoft is working on a Fix-It protection tool as well as security update.

Users of IE9 and 10 are not susceptible to the attacks. "We want to reiterate the IE9 and IE10 are not affected and that we currently see only very targeted attacks," Microsoft stated.

Explore further: Singapore moves to regulate taxi booking apps

More information: technet.microsoft.com/en-us/se… ity/advisory/2794220

Related Stories

Internet Explorer users are warned against Poison Ivy

Sep 18, 2012

(Phys.org)—More than a few Internet Explorer users stand vulnerable to fresh attacks of Poison Ivy. In the latest headline in the "Internet Explorer has a flaw" saga, a security hole in Internet Explorer ...

German watchdog warns of Internet Explorer breach

Sep 18, 2012

(AP)—The German government agency overseeing IT safety is warning of a security breach in Microsoft's Internet Explorer and recommending people use other browsers until the problem is fixed. ...

Microsoft probing new hole in IE security

Feb 03, 2010

Fresh from patching an Internet Explorer (IE) flaw exploited in cyberattacks on Google and other firms, Microsoft is looking into a newly exposed vulnerability in the browser software.

Recommended for you

Singapore moves to regulate taxi booking apps

Nov 21, 2014

Singapore on Friday announced new rules for mobile taxi booking apps, including US-based Uber, in the latest move by governments around the world to regulate the increasingly popular services.

Protecting personal data in the cloud

Nov 20, 2014

IBM today announced it has patented the design for a data privacy engine that can more efficiently and affordably help businesses protect personal data as it is transferred between countries, including across private clouds.

Gift Guide: Dragons, aliens, heroes for the gamer

Nov 19, 2014

Sony's PlayStation 4 video-game console has built an impressive lead over its competitors. That's good news for holiday shoppers because it has driven Microsoft and Nintendo to offer more budget-friendly ...

User comments : 9

Adjust slider to filter visible comments by rank

Display comments: newest first

BSD
2.5 / 5 (8) Jan 01, 2013
I just love MS attacks, they always provide morbid entertainment value among FreeBSD users. You're always wondering what's next. :P
ValeriaT
2.3 / 5 (6) Jan 01, 2013
..? FreeBSD? For what? No users, no money, no viruses.
BSD
2.5 / 5 (8) Jan 01, 2013
Microsoft may even produce an operating system one day if they try hard enough. Windows has always been and will always be DOS with a cartoon for a front end.
IronhorseA
1 / 5 (2) Jan 01, 2013
Microsoft may even produce an operating system one day if they try hard enough. Windows has always been and will always be DOS with a cartoon for a front end.

They did, and IBM had to take it back and fix it. ;P
ValeriaT
2.8 / 5 (6) Jan 01, 2013
Until the Linux was desktop system only, nobody did take care of it and the number of its viruses was low. When it did become the basis of Android system, then the number of its viruses raised steadily and the Open Source platform doesn't help against it at all. This may serve as an evidence, the number of viruses actually depends on the number of users, not quality of operating system. Simply because every protection can be compromised (as RIAA and similar agencies know very well).
BSD
2.3 / 5 (6) Jan 01, 2013
You can fix Windows by running as an application within a Linux or BSD environment. It actually improves Windows' performance.
bhiestand
not rated yet Jan 02, 2013
Until the Linux was desktop system only, nobody did take care of it and the number of its viruses was low...the number of viruses actually depends on the number of users, not quality of operating system. Simply because every protection can be compromised (as RIAA and similar agencies know very well).

For starters, your link... let's just say the author of that blog post doesn't know the difference between a virus, worm, trojan, or water buffalo. People who repeatedly misuse jargon rarely know enough to be writing on a subject.

Quality matters. Operating systems can be extraordinarily insecure (e.g. Win 9x) or much more difficult to infect (e.g. debian selinux good configuration). IE 5-8 were rife with security holes and easily targeted. I suspect they are still in widespread use in .gov systems

To me, the interesting part is that they used CFR and a zeroday? CFR has a great readership. Ask a dozen political staffers in DC or Beijing and you'll find a subscriber.
omatwankr
1 / 5 (1) Jan 02, 2013
How would a secure OS be of benefit to μ-$oft, it would keep them and the Government out of your system as well.
BSD
1 / 5 (3) Jan 04, 2013
Windows 8.....
MY GOD!!!! IT'S FULL OF HOLES!!!!!

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.