Microsoft has released a "Fix it" that temporarily addresses a high-profile IE8 zero-day vulnerability, according...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
to a blog post by the Redmond, Wash.-based vendor.
The software giant said the update to Security Advisory 2847140 aims to prevent all known exploits that take advantage of the vulnerability. All Internet Explorer 8 (IE8) users are encouraged to apply the fix, which does not require a reboot. Users of IE versions 6, 7, 9 and 10 are not affected by this vulnerability. Microsoft reiterated that it is working on a permanent security update to repair the flaw, while keeping watch for related exploits.
Originally discovered by Milpitas, Calif.-based vendor FireEye Inc., the IE8 zero-day was found to have been used in watering-hole attacks aimed at the U.S. Department of Labor's Site Exposure Matrices website, which provides data on toxic substances present at facilities run by the Department of Energy.
The vulnerability was used to redirect visitors to a website that included a downloadable exploit that installed the Poison Ivy remote administration toolkit. AlienVault Labs, which initially discovered the Labor Dept. website compromise, has speculated that the command-and-control infrastructure used in the attacks is the same one that security vendor CrowdStrike had previously linked to Deep Panda, a cyber-espionage group believed to be based in China.
Separately, Adobe Systems Inc. is currently preparing a patch for a critical vulnerability that was found in its ColdFusion Web application development platform.
The vulnerability, CVE-2013-3336, affects versions 9 and 10 of ColdFusion and could allow an unauthorized user to remotely retrieve files that have been stored on an affected ColdFusion server. Adobe reported there is a publically available exploit that takes advantage of the vulnerability.
Enterprises that are running a vulnerable version of ColdFusion can expect the patch to arrive on May 14. Until then, Adobe has advised customers affected by the vulnerability to follow the security best practices issued in ColdFusion 9 Lockdown Guide and the ColdFusion 10 Lockdown Guide.