Microsoft Patches 'Watering Hole' Browser Flaw Used by Online Spies
Sorry, spies: The watering hole is closed.
Microsoft today (Jan. 14) issued an out-of-band update to patch a critical vulnerability in Internet Explorer versions 6 through 8.
The flaw let online spies, possibly from China, launch "watering hole" attacks from compromised websites of special interest in order to infect the computers of select individuals.
One such attack in mid-December leveraged the website of the Council on Foreign Relations to target the New York-based think tank's members, who include former presidents and secretaries of state.
Others involved infecting websites run by mainland Chinese dissidents, by businesses in Hong Kong and Taiwan, by a Russian scientific group and by an American maker of wind turbines.
Chinese state-sponsored hackers are known for using such tactics to steal information from Western and overseas Chinese governments, companies and organizations.
"The out-of-band IE bulletin should come as no surprise," Andrew Storms, director of security operations for San Francisco-based nCircle, said in a statement.
"Microsoft issued an advance notification this weekend announcing their intention to go out-of-band with a single CVE [common vulnerability and exposure] to address the zero-day bug currently being exploited in the wild."
Microsoft normally issues security updates on the second Tuesday of every month, but January's "Patch Tuesday" came and went without a fix for this flaw.
The company on New Year's Eve had issued a "FixIt," or temporary workaround, that mitigated the problem until a true patch was ready.
Users of Windows Vista, 7 or 8 were able to upgrade out of the problem by upgrading to Internet Explorer 9 or 10. But users of Windows XP, which is incompatible with the newer browsers, were at risk until now.
"While the impact has been limited, for increased protection, customers should apply the update as soon as possible if they do not have automatic updates enabled," Dustin Childs, group manager at Microsoft Trustworthy Computing, said in a statement.
Security experts recommend that users keep Windows Update set to automatically download and update patches. For those who choose to do so manually, information on the update is available on Microsoft's Technet website.
It was the second major security update affecting Windows PCs worldwide in less than 24 hours.
Late yesterday (Jan. 13), Oracle patched a critical security flaw in its Java software that left most desktop Web browsers, including those on Macs and Linux machines, at risk of infection by criminal malware designed to encrypt files for ransom or clean out online bank accounts.
"Some people moan and complain about the volume of IE patches, but in my book regular browser patches are a good thing," Storms said. "Browsers are the primary window to the Internet for almost everyone, so they are constantly under attack by cybercriminals."