January 1, 2013 report
Microsoft gets busy on fix for IE watering hole attack
(Phys.org)—Microsoft has published a security advisory about a vulnerability in Internet Explorer 6, 7, and 8. "We are only aware of a very small number of targeted attacks at this time," a Microsoft team blog said. The company acknowledged the vulnerability in its Microsoft Security Advisory (2794220) published on Saturday. Reports about the problem pointed to affected users who had visited the Council of Foreign Relations (CFR) website. According to network security company FireEye, "we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21."
Microsoft described the nature of the vulnerability as a "remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."
Outside Microsoft, security bloggers are referring to the attack on the CFR website as a "watering hole attack." In this type of activity, the attackers identify specific targets and scout out which sites they frequently visit. Attackers then plant malware on them. As Kaspersky Lab's Threatpost similarly explains, it is "where a website frequented by topically connected subjects is infected with malware hoping to snare those site visitors in drive-by attacks."
Symantec views the metaphor of a watering hole fitting, as "the attack is similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him. Similarly, attackers find a Web site that caters to a particular audience, which includes the target the attackers are interested in. Having identified this website, the attackers hack into it using a variety of means. The attackers then inject an exploit onto public pages of the website that they hope will be visited by their ultimate target. Any visitor susceptible to the exploit is compromised and a back door Trojan is installed onto their computer."
Users of IE9 and 10 are not susceptible to the attacks. "We want to reiterate the IE9 and IE10 are not affected and that we currently see only very targeted attacks," Microsoft stated.
© 2013 Phys.org