CFR gets hit with new IE Zero-DaySubmitted by adam1mc on Thu, 01/03/2013 - 15:36
Attackers cheated two widely respected Microsoft security features to wage targeted attacks via a previously unknown flaw in Internet Explorer.
Microsoft says the vulnerability resides in IE6, IE7, and IE8 only, and that attacks were waged via IE8. After first issuing an alert on the bug over the weekend, Microsoft then released a temporary workaround that prevents the exploitation of the bug. The software giant is currently working on a patch for the flaw.
Security researchers point to cyberespionage attackers possibly out of China as the culprits in the attacks, which targeted the websites of U.S.-based Council on Foreign Policy, as well as Capstone Turbine Corp. But a new Metasploit module using the bug makes attacks more likely against multiple targets, they say.
"At this point, we are aware of two sites, [and] CFR is one of them. I cannot disclose the other one. It is likely we will see more sites getting infected in the coming hours and days," says Ziv Mador, director of security research at Trustwave. Mador says he can't confirm whether the attack came out of China, but describes it as a "sophisticated" attack that employed "memory-spraying" to work around Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) features aimed at preventing exploitation.