http://www.securityweek.com/microsoft-patches-vulnerability-attackers-used-target-ie-users
Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month's Patch Tuesday update.
The flaw, CVE-2013-3918, is a remote code execution vulnerability the InformationCardSigninHelper ActiveX component used by Internet Explorer. The issue was already set to be fixed in MS13-090 before FireEye discovered it, explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.
According to Microsoft, the attack in the wild is targeting IE 7 and IE 8 on Windows XP. The exploit being used by the attackers actually combines two distinct vulnerabilities. In addition to the remote code execution bug, there is also an information disclosure vulnerability used as well to improve the reliability of the exploit and to create ROP (return-oriented programming) payloads specifically targeted for the victim's machine.
No comments:
Post a Comment