With critical 0-day exploits circulating, Microsoft and Adobe report fixes

Microsoft has released a temporary update that fixes the critical vulnerability in Internet Explorer 8 that was recently exploited to target federal government workers involved in nuclear weapons research and in the aerospace, defense, and security industries. Adobe Systems, meanwhile, warned of a critical vulnerability in its ColdFusion server platform.

The first solution is a Fix it designed to protect Windows XP users and other Microsoft customers who are unable to upgrade to a later version of the browser. It's intended to be a stop-gap measure until the release of a comprehensive update, which Microsoft engineers are actively testing now.

The Fix it addresses a code-execution vulnerability that attackers exploited to surreptitiously install malware on the computers of government workers. The exploits—which don't work against IE versions 6, 7, 9, and 10—were triggered when people visited pages on the US Department of Labor website that had been compromised. The specific webpages, which dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy, redirected visitors to a series of intermediary addresses that ultimately exploited the vulnerability. At least nine other sites were similarly booby-trapped. Compromised computers were infected by the notorious backdoor trojan known as "Poison Ivy."

Read 6 remaining paragraphs | Comments