Microsoft patches critical IE 0-day used in watering hole attacks
Posted on 14 January 2013.
Microsoft has released an out-of-band patch for the Internet Explorer 0-day recently discovered to have been misused in a series of targeted watering hole attacks linked to the Elderwood gang.

The critical "CDwnBindInfo" use-after-free remote code execution vulnerability is present in Internet Explorer versions 6,7, and 8, and users of these are advised to update them as quickly as possible if they haven't got automatic updates enabled. Users of Windows Vista can also upgrade to IE 9 or 10, which are not impacted by the issue.

The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory.

The bug, first spotted being misused to target visitors of the website of the Council on Foreign Relations, a think tank specializing in U.S. foreign policy and international affairs, has since been detected being used in attacks that compromised a number of other websites, including Chinese human rights sites and the site of Capstone Turbine Corp.

Microsoft has previously released a Fix It tool to temporarily protect users, but security firm Exodus Intelligence claimed it was flawed because it did not prevent all the paths an attacker can take to trigger or exploit the vulnerability.

They shared their findings and a working exploit with Microsoft, and refrained from publishing it until the vulnerability is patched.

Users who have applied the Fix It are advised to uninstall it once they apply the security update.






Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Dec 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //