A zero-day vulnerability in Internet Explorer 8 let hackers compromise a U.S. Department of Labor website linked to a database used by former Energy Department employees who had worked with nuclear weapons or uranium. That database was also used by Labor Department claims examiners.
Security firm Invincea, which reported the attack, has advanced the possibility that the hackers were compromising one U.S. government department in order to attack another.
Internet Explorer 8 is still the most-used version of Microsoft's web browser family, according to data from Net Applications. Late Friday, Microsoft posted word that it had discovered an exploit in the browser but noted the issue issue does not appear to affect any other versions.
Microsoft today said it will ship nine security updates next week, two rated "critical," to patch Internet Explorer (IE), Windows, SharePoint Server, Office Web Apps and the company's anti-malware software in Windows 8 and RT.
One security expert put his money on the IE update as the most important of the pending, in part because he expects Microsoft to fix the flaws revealed a month ago at the Pwn2Own hacking contest.
Internet Explorer vulnerabilities warrant notice in this month's set of Microsoft Patch Tuesday bulletins and need to be fixed quickly even though the sheer number of patches may seem daunting.
The weaknesses leave users open to drive-by attacks where malicious code is downloaded without the user's knowledge while browsing. Not patching them because they are time-consuming will just widen the window of opportunity hackers have to exploit them, says Alex Horan, a senior product manager at CORE Security.
The results from the annual Pwn2Own hacking contest are in, and the score is as follows: hackers one, software zero.