Microsoft Issues Emergency 'Fix-It' for Browser Flaw
Microsoft has issued a "Fix it," or temporary workaround, for Internet Explorer 8 that lessens a previously unknown software or "zero day" flaw used to spy on U.S. atomic researchers.
The "Fix it" partly patches the security flaw that hackers, possibly working for a foreign government, used in a "watering hole" attack, one that corrupts a website of interest to a specific group of people.
Malware exploiting the flaw was embedded in a Department of Labor Web page concerning healthcare provisions for federal employees working at nuclear-research facilities.
That guaranteed that targeted employees using IE 8 would become infected with the "Poison Ivy" Trojan, which opens a "backdoor" that lets in other malware.
In a blog posting, Microsoft said it was working "around-the-clock" on a more comprehensive security update, but advised all eligible IE 8 users to install the Fix it in the meantime.
It's unlikely that the permanent fix will be part of next week's scheduled Patch Tuesday round of Microsoft updates.
On Sophos' Naked Security blog, reporter Paul Ducklin noted that although the Fix it makes it harder for hackers to leverage an attack, the solution isn't perfect and could potentially be finessed to execute a remote code exploit that could infect victims via drive-by download.
Furthermore, the Fix it only works on 32-bit versions of IE8 that have incorporated April's Patch Tuesday updates.
Since the flaw affects only Internet Explorer 8, users of Windows Vista, 7 or 8 can alternatively upgrade to IE 9 or 10. Windows XP users using IE 8 can switch to using non-Microsoft browsers, such as Google Chrome or Mozilla Firefox.
The bug has also been used to target European workers in the defense, aerospace and security industries. Computer-security firm AlienVault noted that the ongoing campaign is similar to a Chinese state-sponsored cyberespionage effort known as "DeepPanda."