ID: IRCNE2013051835
Date: 2013-05-05
According to "computerworld", Microsoft late Friday confirmed that a "zero-day," or unpatched, vulnerability exists in Internet Explorer 8 (IE8), the company's most popular browser. According to multiple security firms, the vulnerability has been used in active exploits.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem.
No timetable for a fix was provided. The next scheduled security update from Microsoft will ship Tuesday, May 14.
The watering hole attacks were first reported on Wednesday, when Fairfax, Va.-based Invincea and others said cyber criminals were exploiting an IE8 vulnerability Microsoft had patched in January. On Friday, however, Invincea retracted that, saying that the bug was an unknown vulnerability not yet patched by Microsoft.
Microsoft confirmed that all versions of IE8, including copies running on XP, Vista and Windows 7, are at risk.
A zero-day vulnerability in IE8 raised the stakes for all users of that browser, said Mitchell of Invincea, not only government workers who had been targeted. He recommended that users switch to an alternate browser, such as Google's Chrome or Mozilla's Firefox, until Microsoft delivers a patch.
Meanwhile, Microsoft urged users of Vista and Windows 7 to upgrade from IE8 to IE9 and IE10, respectively.
Customers can also deploy the Enhanced Mitigation Experience Toolkit (EMET), to lock down IE8, making exploits more difficult for hackers. EMET 3.0 or the beta of EMET 4.0 can be downloaded from Microsoft's website.
- 3