Microsoft has released an emergency update to patch a security vulnerability in Internet Explorer that is being exploited in attacks aimed at government contractors and other targeted organizations.
The patch fixes a “use after free” bug in versions 6, 7, and 8 of the Microsoft browser and will be automatically installed on affected machines that have automatic updating enabled,The unscheduled release comes just six days after Microsoft’s most recent monthly Patch Tuesday batch of security updates, but it was pushed out to counter an experienced gang of hackers who have infected websites frequented by government contractors to exploit the vulnerability.
Monday’s update came hours after Oracle released an unscheduled patch to fix a critical vulnerability in its Java software framework. As reported last week, the zero-day Java exploits were added to a variety of exploit kits that criminals use to turn compromised websites into platforms for silently installing keyloggers and other malware on the machines of unsuspecting visitors.
The attacks exploiting the IE vulnerability, by contrast, targeted a much narrower set of people, researchers said. Such campaigns have come to be dubbed “watering hole” attacks, because they’re akin to hunters who hide out at ponds or other sources of water and wait for their prey as they quench their thirst.
Versions 9 and 10 of IE are more resistant to security attacks that aren’t vulnerable to the exploit. If possible, readers should install one of those versions.
Microsoft previously issued a “Fixit” tool to mitigate the effects of an attack. People who have applied the temporary fix do not need to uninstall it before installing the permanent patch. Still, Microsoft suggests users uninstall the FIxit once the patch is in place. The patch is not a cumulative batch of previous IE fixes, so users still must apply MS01-077 to be protected against vulnerabilities Microsoft patched last week. The company’s advisory is here.
Shared via ars technica