Microsoft rushes out IE fix for watering hole exploit

Microsoft has rushed out a fix for a zero-day flaw in some versions of its Internet Explorer (IE) browser, which attackers were using to deploy malware via compromised websites.

The flaw in IE8 and earlier versions allowed attackers to install malware when users visited infected web pages.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft warned in its security advisory note. 

“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

According to security firm FireEye, attackers compromised US think tank the Council on Foreign Relations' website as early as 21 December.

Darien Kindlund, a security researcher at FireEye, said the choice of targets looks to have been carefully calculated.

“We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability,” he wrote on the company blog.

Kindlund added that the JavaScript hosting the exploit had some interesting features, which were used to tailor the attack. These include scanning the users' browser and only delivering the payload to users that had their operating system language set to either English (US), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian.

This gave the attack the hallmarks of a so-called watering hole attack, when the cyber crooks look to target specific groups of people – in this case, those with an interest in US foreign policy.

Microsoft is continuing to investigate the attack.

Last year, Microsoft suffered a similar problem, with a bunch of crooks, dubbed the Nitro Gang, also using previously unknown flaws in older versions of Internet Explorer to deliver their own targeted malware.