Microsoft has confirmed the existence of a zero-day code-execution exploit for Internet Explorer 8 that's currently being used in a series of watering-hole attacks.
The watering-hole attacks (a technique used in attacks directed at a specific population of Internet users) target American government employees and contractors who work in the nuclear research sector, and Europeans who work in the defense, security and aerospace industries and non-profit groups.
That's an indication that the attackers may be collecting sensitive military information on behalf of a nation-state.
The vulnerability affects machines running IE 8 on Windows XP, Windows Vista and Windows 7. Other versions of Internet Explorer, including the older IE 6 and IE 7, are not affected, a Microsoft security advisory states. The exploit is mitigated on Windows Server 2003 and 2008.
To mitigate their risk, users of IE 8 should upgrade to Internet Explorer 9 or 10 if they are running Windows Vista or a later version of Windows. Windows XP users should switch to a non-Microsoft browser until the security hole is patched.
American victims became infected last week after visiting a U.S. Department of Labor website that attackers had corrupted.