Microsoft has released a temporary update that fixes the critical vulnerability in Internet Explorer 8 that was recently exploited to target federal government workers involved in nuclear weapons research and in the aerospace, defense, and security industries. Adobe Systems, meanwhile, warned of a critical vulnerability in its ColdFusion server platform.
The first solution is a Fix it designed to protect Windows XP users and other Microsoft customers who are unable to upgrade to a later version of the browser. It's intended to be a stop-gap measure until the release of a comprehensive update, which Microsoft engineers are actively testing now.
The Fix it addresses a code-execution vulnerability that attackers exploited to surreptitiously install malware on the computers of government workers. The exploits—which don't work against IE versions 6, 7, 9, and 10—were triggered when people visited pages on the US Department of Labor website that had been compromised. The specific webpages, which dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy, redirected visitors to a series of intermediary addresses that ultimately exploited the vulnerability. At least nine other sites were similarly booby-trapped. Compromised computers were infected by the notorious backdoor trojan known as "Poison Ivy."
Microsoft announced the availability of the Fix it on Wednesday evening, within about an hour of Adobe notifying website operators of a critical vulnerability in ColdFusion, a server platform with a large installed base in the government sector. Adobe's advisory cited unspecified reports that exploit code for the vulnerability is publicly available.
At time of writing, it was unclear if the ColdFusion vulnerability had anything to do with the website compromises used to spread the IE attack. Last month, evidence surfaced that Web hosting provider Linode suffered a security breach after an earlier ColdFusion bug was exploited.
Adobe expects to release an update on Tuesday. In the meantime, ColdFusion users should restrict public access to the CFIDE/administrator, CFIDE/adminapi, and CFIDE/gettingstarted directories by following instructions in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.
Microsoft's temporary fix doesn't require computers to be restarted and is easy to apply. Those who install it should remove it before applying a permanent patch, once that becomes available. Microsoft officials didn't say when the permanent update would be available, but it wouldn't be surprising if it came in time for the company's next scheduled patch release this Tuesday.
For readers curious about browser vulnerability, Microsoft provided the following details:
The vulnerability is exposed due to a page layout issue, triggered when Internet Explorer 8 is trying to calculate layout information for nodes no longer in the DOM tree. The issue is caused by layout structures that are not properly cleaned up and contain dangling pointers to page elements. When the layout is updated, the browser crashes due to accessing the freed memory. The code that cleans up the dead links already exists, but it runs after the layout structures are accessed. The solution is to move the cleanup logic before the layout structure access.
The appcompat shim-based “Fix it” protection tool does the exact same thing as the fix provided by the Internet Explorer team. This is still a workaround, but more surgical as compared to other workarounds because it blocks the root cause of the vulnerability. The shim modifies in memory the mshtml!CBlockContainerBlock::BuildBlockContainer function in order to force the code flow change that results in the layout structures being properly cleaned up before access
A summary for everyone else: If at all possible, readers should upgrade to IE 9 or 10 or use a different browser altogether. Those who absolutely must continue using version 8 should install this temporary fix immediately. If you administer a site that uses ColdFusion, be sure to lock down your systems until a patch is released next week.
reader comments
30