Temporary fix out for Department of Labor website IE8 zero-day

Microsoft is still working on a permanent fix for the IE8 zero-day found in the Dept. of Labor website attack. Also: Adobe preps ColdFusion patch.

Microsoft has released a "Fix it" that temporarily addresses a high-profile IE8 zero-day vulnerability, according to a blog post by the Redmond, Wash.-based vendor.

The software giant said the update to Security Advisory 2847140 aims to prevent all known exploits that take advantage of the vulnerability. All Internet Explorer 8 (IE8) users are encouraged to apply the fix, which does not require a reboot. Users of IE versions 6, 7, 9 and 10 are not affected by this vulnerability. Microsoft reiterated that it is working on a permanent security update to repair the flaw, while keeping watch for related exploits.

Originally discovered by Milpitas, Calif.-based vendor FireEye Inc., the IE8 zero-day was found to have been used in watering-hole attacks aimed at the U.S. Department of Labor's Site Exposure Matrices website, which provides data on toxic substances present at facilities run by the Department of Energy.

The vulnerability was used to redirect visitors to a website that included a downloadable exploit that installed the Poison Ivy remote administration toolkit. AlienVault Labs, which initially discovered the Labor Dept. website compromise, has speculated that the command-and-control infrastructure used in the attacks is the same one that security vendor CrowdStrike had previously linked to Deep Panda, a cyber-espionage group believed to be based in China.

Separately, Adobe Systems Inc. is currently preparing a patch for a critical vulnerability that was found in its ColdFusion Web application development platform.

The vulnerability, CVE-2013-3336, affects versions 9 and 10 of ColdFusion and could allow an unauthorized user to remotely retrieve files that have been stored on an affected ColdFusion server. Adobe reported there is a publically available exploit that takes advantage of the vulnerability.

Enterprises that are running a vulnerable version of ColdFusion can expect the patch to arrive on May 14. Until then, Adobe has advised customers affected by the vulnerability to follow the security best practices issued in ColdFusion 9 Lockdown Guide and the ColdFusion 10 Lockdown Guide.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close