Microsoft issues temporary fix for Internet Explorer zero-day vulnerability
Microsoft on Monday released a “Fix it” solution for an Internet Explorer zero-day vulnerability it acknowledged over the weekend. The flaw, currently being exploited in targeted attacks, only affects Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8.
According to a post on the company’s Security Research & Defense blog, the Fix it solution is meant to “reduce the attack surface of this vulnerability.” In other words, it is a temporary fix that will eventually be replaced by a proper security update when such an update is available.
“In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability,” Microsoft warned in a security advisory. “In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
One such website is Cfr.org, which belongs to Washington-based foreign policy think tank Council on Foreign Relations (CFR). Last week, FireEye confirmed that CFR’s website had been compromised and was hosting malware designed to exploit this Internet Explorer vulnerability.
“On December 27, we received reports that the Council on Foreign Relations (CFR) website was compromised and hosting malicious content on or around 2:00 PM EST on Wednesday, December 26,” FireEye wrote in a blog post Friday.
“Through our Malware Protection Cloud, we can confirm that the website was compromised at that time, but we can also confirm that the CFR website was also hosting the malicious content as early as Friday, December 21—right before a major U.S. holiday.”
No comments:
Post a Comment