A "watering hole" attack on pages within the U.S. Department of Labor website exploited a "zero-day" vulnerability in Internet Explorer 8 to deliver malware to visitors, according to reports.
On Friday, Microsoft issued an advisory warning relating to an unpatched vulnerability in Internet Explorer 8. Other versions of the browser are unaffected, Microsoft said.
“Microsoft is investigating public reports of a vulnerability in Internet Explorer 8. Microsoft is aware of attacks that attempt to exploit this vulnerability,” the company said in a statement.
“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
It had previously been thought that the attack used a known, patched vulnerability. But reports have since claimed that a new vulnerability was targeted in the attack, according to SC Magazine’s Dan Kaplan. A malicious script on the Department of Labor pages directed visitors using IE8 to another site, which served up the Poison Ivy Trojan.
The Department of Labor said in a statement , “On May 1, 2013, the Department of Labor (DOL) confirmed that an externally-hosted Division of Energy Employees Compensation (DEEOIC) website related to the public Site Exposure Matrix (SEM) appeared to be compromised. The website was immediately taken offline and the department began working with appropriate internal and external authorities to investigate and to mitigate any potential impacts. The website will remain offline until DoL completes its initial investigation. At this time, there is no evidence of compromise to or loss of DoL information."
David Harley, Senior Research Fellow at ESET said, "For many years security commentators have advocated prompt patching of known vulnerabilities where practical. Leaving aside the issues of sound change control, testing and keeping critical systems updated without taking them offline, that remains an essential strategy."
"However, the vulnerability research community has fragmented in recent years. Information sharing has become more susceptible to commercial issues and the pursuit of competitive advantage. As a result, there are at least three groups of vulnerability: vulnerabilities that are known to the security industry but may not yet have been patched; vulnerabilities that are known but not widely shared for commercial reasons; vulnerabilities that are not yet known outside the groups exploiting them or intending to exploit them under the radar. So the advice 'keep your operating systems and applications patched' remains essentially sound, but offers no more guarantee of protection than keeping your antivirus updated. These precautions raise the level of your protection, but there are no 100% solutions for maintaining 100% security."