IE8 zero-day flaw targets U.S. nuke researchers; all versions of Windows affected

IE8 zero-day flaw targets U.S. nuke researchers; all versions of Windows affected

Summary: Security researchers have discovered a previously unreported zero-day attack that targets U.S. government nuclear weapons scientists and researchers. Microsoft has warned Internet Explorer 8 users to upgrade to a later version of the browser, as the potentially affects at most one-quarter of all IE users.


Attackers have exploited a previously unknown vulnerability in Internet Explorer 8, which targets U.S. government workers involved in nuclear weapons research.

According to multiple security research firms, the vulnerability has been used to launch specifically-targeted "watering hole" attacks aimed at U.S. government workers — such as those at the U.S. Department of Labor and the U.S. Department of Energy — the latter which focuses on nuclear weapons research and testing.

The website's code was injected with code that points visitors to an malicious server, which in turn servers up the Poison Ivy Trojan. (Image: AlienVault)

The specific site that was hacked, the Dept. of Energy's Site Exposure Matrices (SEM) website, deals with "nuclear-related illnesses" linked to Dept. of Energy facilities of employees who may have fallen ill developing or disarming nuclear weapons, according to NextGov.

It's not clear whether any data was stolen or if classified documents were at risk.

Read this

Internet Explorer, Windows XP rank highly at work, but BYOD threatens mutiny

Internet Explorer, Windows XP rank highly at work, but BYOD threatens mutiny

Bring your own device to work? According to Forrester research, that's mixing up the browser market space, despite Internet Explorer keeping its top-dog status. Meanwhile, Windows XP still ranks highly at work despite one year left until support gets cut off.

Invincea reported on Friday that the Dept. of Labor website was compromised by attackers to direct visitors to a malware-ridden site, which executed a "drive-by download exploit" to install the Poison Ivy Trojan. The malware is linked to "DeepPanda" hackers, which are thought to be based in mainland China.

It is thought that Chinese hackers may be behind the recent exploit following similar attacks in 2012, which in turn prompted Microsoft to issue an emergency out-of-band update in mid-January.

Meanwhile, FireEye also confirmed that the exploit checks for users running Windows XP machines, but confirmed that "it could also work against IE8 on Windows 7" machines.

According to recent market share statistics from Net Applications, Microsoft holds more than half of the overall browser market at 55 percent. Out of this, 23 percent are Internet Explorer 8 users.

In a security advisory issued on Friday, Microsoft said it was "investigating" reports and was "aware of attacks" that attempt to exploit a vulnerability, confirming it as a "remote code execution vulnerability."

Following the disclosure by the security firms, Microsoft confirmed on Friday that the zero-day vulnerability exists in Internet Explorer 8, its most popular browser. All versions of Windows XP and above are affected, including Windows Server 2003, 2008 and R2.

Microsoft noted that IE6 users on Windows XP, IE7, IE9, and IE10 users on Windows 8 and Surface tablets, are not affected by the security flaw.

It's not thought that the general population is at risk of attacks, considering the narrow scope of the attacks. Invincea's Eddie Mitchell noted in a blog post:

[T]he web pages that were compromised on the DoL site are intended for Dept of Energy employees (and their DoL representatives) in dealing with nuclear-related illnesses linked to Dept of Energy facilities and the toxicity levels at each location.

Microsoft's advise is to update the browser. But if users and enterprises are unable to due to applications that require the browser, users should lock down their browser security settings to mitigate data loss or system breaches.

  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones

  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone

  • Add sites that you trust to the Internet Explorer Trusted sites zone to minimize prompt disruption

The software giant gave no timeline for a fix. Given that an advanced notification of Patch Tuesday security vulnerabilities is due on May 7, with the release of such patches the following week on May 14, users may either expect a release as part of May's security fixes, or later the following month. 

Failing that, Microsoft may issue an "out-of-cycle" security update; a likely option considering the severity of the vulnerability and the nature of the targeted attacks.

Topics: Security, Browser, Malware, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wait....

    I read about this yesterday and it said only IE8 on windows XP was vulnerable. So how now you claim all versions are affected. Also your 9th and 10th paragraphs contradict themselves.

    If you're developing military nuclear bomb research I would think you would have a higher sense of securing and locking down your browser or upgrade to the latest proven release.
    • Yeah I don't want anyone who hasn't updated since IE8

      working on anything nuclear.
      Johnny Vegas
      • Unfortunately,

        The US Government takes its sweet time when migrating operating systems. It took FEMA - which isn't anywhere near as security-intensive as DOD and DOE - until last year to finally upgrade to Windows 7, and those machines are still running MSIE 8 as the primary browser.
    • And...

      Windows 8 came with IE 10, so it can't be affected, if IE8 is the vector...

      Sorry Zack, but lazy reporting for a glorified headline.
      • So,

        In your mind all corporations immediately upgrade to the latest/greatest versions of Microsoft products? My company is still in the midst of a Windows 7 upgrade, which should be finishing up in Q4 this year. Our upper management has no interest in upgrading to Windows 8 - they don't see the advantage for the money spent; what they see is a huge amount of training.

        Plus, look at the numbers; IE 8 is the most popular version of IE in use.
        • No

          The headline says "all versions of Windows affected," yet only those versions capable of running IE 8 are actually affected.
    • It is kind of funny

      I thought the same thing. We can work on highly sensitive research with a old security ridden browser and operating system. Hey, but America is strong! Just another slogan I guess.
    • Just because you've completed your doctorate ....

      Just because you've completed your doctorate, doesn't mean you know jacksh*t about securing the PC against attack.

      You're making the same stupid assumption that someone with DR in their name/title is a 'medicine man' or knows how to stitch up a wound.. etc..

      The real take away from the article should be focused on mitigation and on *not* using one of the worst browsers out there.. Internet Explorer ... and why its the worst? closed development and lack of add-ons for the avg joe.

      Spell Check on IE? Adblock on IE? Stylish & User Styles on IE? all some form of bolt on after market crap that you either pay for or have to go to extra lengths to add to microsoft's product.
  • All version of Windows! Shocker! But not all versions of Internet Explorer

    a fact conveniently left out by Zack Whittaker in the quest for ad-revenue generating clicks
    • Or maybe you just can't read?

      You seem to have missed this paragraph in your haste to shoot the messenger:

      "Microsoft noted that IE6 users on Windows XP, IE7, IE9, and IE10 users on Windows 8 and Surface tablets, are not affected by the security flaw."
      • When you read the paragraph

        you have already rewarded the sensationalist headline (and nuclear graphics spin) with ad-impression.

        I was complaining that the title was misleading and sensationalist. Click-wh*ring.
        • Maybe you shouldn't comment on an article you haven't read?

          After all, you must already have clicked on the article in order to comment anyway. So maybe next time you could boycott the article completely? Wouldn't that be a better way of not "rewarding" a sensationalist headline?

          Come to think of it, I'm not convinced you read even the article's *title* properly either, because the title clearly says "IE8".
    • Probably being served up by all those compromised Apache servers.
      • wih CPanel

        you gotta read the article better. It says that it might have been a CPanel problem, not Apache. BTW, CPanel is a proprietary pos for those can't learn proper administration.
        • And what server does CPanel provide admin interface for?


          Why? Because Apache doesn't have anything to enable remote web-based administration.

          The problem is being conflated by the stupid Unix security model where a single user account must be used for privileged operations which cannot be delegated. If Unix (and Linux) had used a proper discretionary security model with actual delegatable privileges, the authors of CPanel wouldn't need to use root and risk compromising the entire system.

          But as it is, Unix/Linux administrative utilities frequently *do* need to run as root because even the most simple configuration changes require you to run as the all-powerful root user.
          • @honeymoster

            Why do one need a web-based administration? What wrong with a shell and editors?
            This is not the only problem with CPanel. There is not too much trust to the developers of proprietary software unfortunately . When you install it with CPanel it is not done from the repository. That is why a few people commented about no way to check the sums of the installed files. Proprietary developers rarely do this, while deb and rpm package format mandates it.

            As for the Unix "stupid" security model and no delegation.. wow what about sudo which is what is actually missing in the Windows "smart" security model... I mean after the 15 years when MS had finally learned about the word "security".
            I think that no one have ever refuted the KISS principle, not even MS. So might be taking "stupid" from there. This is fine then.
            Yes, you do have to run a few admin apps (some are even GUI) as su or sudo. Even on a desktop there are password-management systems, like pinentry. You can configure the timeout values there. In GNU Emacs there is mode called TRAMP, you can connect through ssh,fish,scp,rsync, sudo and su "out of home". Passwords are also timed-out and you don't run as root or whatever at all times.
          • You're assuming CPanel is the problem.

            This has not been proven to be the case. At least not at the time I read about the issue.
        • Oh I've read the articles.

          Doesn't change anything. Try again?
  • Heres another thought...

    If this malicious website is specifically for these DOL and DOE folks, we as citizens would think that these people have a little bit more intelligence to them then my wife's grandmother using the internet, so these attacks would be pointless. Working in IT for 13 years, I have yet to run into a malware, spyware or a phishing attack that the USER did not allow and just randomly cause their machine to get weird (with the exception of conflicker, XP pre-service packs) so here's the plan and this should help everyone not get attacked...don't just hit yes, yes when a prompt comes up. Actually look at what's being executed and if you recognize it, let it run. If it randomly popped up, said you have 500 million viruses and its not your anti-virus/anti-malware solution, close that box immediately and if it trys to keep you, close it and get out of it. If you have Java installed and don't need it for specifics, uninstall it. JavaScript does not need Java to run. Its native. If its an email from someone you don't recognize, don't open the damn thing. Easy security.
    • Someone else who cannot read.

      The article explicitly says:

      "Invincea reported on Friday that the Dept. of Labor website was compromised by attackers to direct visitors to a malware-ridden site, which executed a "drive-by download exploit" to install the Poison Ivy Trojan."

      A "drive-by" exploit is one where *no* user interaction is required.