Microsoft late Friday confirmed that a "zero-day," or unpatched, vulnerability exists in Internet Explorer 8 (IE8), the company's most popular browser.
According to multiple security firms, the vulnerability has been used in active exploits, including "watering hole"-style attacks against the U.S. Department of Labor and U.S. Department of Energy, targeting workers at the latter agency involved in nuclear weapons research.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem.
No timetable for a fix was provided. The next scheduled security update from Microsoft will ship Tuesday, May 14.
The watering hole attacks were first reported on Wednesday, when Fairfax, Va.-based Invincea and others said cyber criminals were exploiting an IE8 vulnerability Microsoft had patched in January. On Friday, however, Invincea retracted that, saying that the bug was an unknown vulnerability not yet patched by Microsoft.
"The exploit on the [Department of Labor] site appears to be exploiting a zero-day exploit affecting Internet Explorer 8 (IE8) only, [via a] use-after-free memory vulnerability that when exploited allows an attacker to remotely execute arbitrary code," said Eddie Mitchell, a security engineer at Invincea, in a Friday blog post.
Invincea came to its conclusion after reproducing the attack on a Windows XP PC running a fully-patched copy of IE8, one that included the fix Microsoft issued nearly three months ago for CVE-2012-4792, the Common Vulnerabilities and Exposure database identifier for the flaw originally thought to be involved.
Also on Friday, FireEye claimed much the same, saying that it had also verified that IE8 on Windows 7 is vulnerable.
IE8 is the most widely-used of Microsoft's five supported browsers -- IE6 through IE10 -- accounting for an estimated 41% of all the Redmond, Wash. developer's browsers that went online in April.
Microsoft confirmed that all versions of IE8, including copies running on XP, Vista and Windows 7, are at risk.
When the news broke earlier in the week of the watering hole attacks -- so named because attack code is placed on websites frequented by the targeted users -- Invincea and other security companies said they were designed to infect government PCs with the Poison Ivy remote administration tool, or RAT.
Poison Ivy is a well-known piece of malware often used by information thieves to siphon confidential documents and other files from corporate and government networks.
Security companies pointed fingers at Chinese hackers, saying that the latest were similar to past attacks that had targeted the Council on Foreign Relations (CFR) and Chinese dissidents in 2012. The attacks designed to infect users who visited the CFR website late last year prompted Microsoft to issue an "out-of-band," or emergency, IE update on Jan. 14.
Sign up for CIO Asia eNewsletters.