The Council on Foreign Relations website was infected around Dec. 21 with a Trojan that exploited a previously unknown, or zero-day, flaw in older versions of Internet Explorer, setting up visitors using IE for a drive-by download infection.
"The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," Microsoft said in a security advisory posted Saturday. "The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
Microsoft is working on a fix, but in the meantime recommends that Windows users who cannot upgrade to newer versions of Internet Explorer set their Internet and intranet security-zone settings to "High," to set up alerts before running Active Scripting and to install the free Enhanced Mitigation Experience Toolkit. [Update: Microsoft has posted a "fix-it," a script that temporarily fixes the problem while the company continues to work on a full patch.
FireEye, a Milpitas, Calif.-based information-security company, confirmed the CFR website was hosting malicious code in the form of a rigged Adobe Flash file.
In its blog posting, FireEye noted that the code associated with the malware also restricted its victims to only systems using English, Russian, Chinese, Korean or Japanese, and that some internal code used simplified Chinese characters, as used on the Chinese mainland.
Chinese state-sponsored hackers have been suspected in dozens of major information-stealing network attacks on Western governments, corporations and organizations over the past half decade.
Such attacks are often politely termed "advanced persistent threats," and while most of the evidence points to China, few of the suspicions have been proven.