On Friday, May 3rd, Microsoft released Security Advisory 2847140 regarding a new flaw in Internet Explorer that was used in a targeted attack against Department of Energy employees and involved a compromised website hosted by the Department of Labor.
The flaw in question allows a malicious individual to execute a program on a users’ computer when they visit a website designed to utilize this flaw. The attacker is able to run programs with the same rights as the logged in user. The majority of user accounts for residential customers are Administrator accounts, which would allow the attacker to essentially do as they please with complete control over the computer.
Earlier, on May 1st, AlienVault Labs identified a website ran by the Department of Labor, called the Site Exposure Matrix Website, that was redirecting users to a malicious server. This server utilized the flaw in Internet Explorer and proceeded to install malicious programs on visitors to the DoL SEM website. The DoL SEM website was “which was designed to organize, display, and communicate information on the toxic substances found at those sites and possible health effects associated with exposure to those substances.”
Currently Microsoft is evaluating the flaw and developing a patch. It is unclear if the patch will be included in an upcoming Security Bulletin or if the severity of this issue will warrant an out-of-cycle update.
While Microsoft does provide some information on possible mitigation steps to reduce a users’ exposure to most flaws, Rapid 7 has advised that there is not a fool-proof mitigation technique.
For more details, please see the links provided in this blog post as well as this article from Network World.
This flaw only impacts Internet Explorer 8 and does not effect versions 6, 7, 9, or 10. Users of Windows Vista and 7 are highly encouraged to upgrade to at least Internet Explorer 9. Windows 8 comes pre-loaded with 10. Windows XP users are encouraged to utilize an alternative browser such as Mozilla Firefox or Google Chrome.
Additionally, users are encouraged to utilize a second user account on their computers for day-to-day activities that is a Standard or Limited user account and not an Administrator account. Administrator accounts should be used infrequently and only when necessary to perform system specific functions.
If you have questions or concerns regarding this issue, feel to contact us.