Microsoft Warns Of Critical IE Flaw Used In Google Attack
The Microsoft security advisory follows swiftly after security company McAfee issued a security alert warning users that malware used in an attack on Google exploited newly discovered vulnerability in Microsoft Internet Explorer.
Altogether, the critical flaw affects almost all of Microsoft's IE releases, including IE 6, IE 7 and IE 8. However, thus far security researchers have only seen the attacks on Google exploiting IE 6, according to the Microsoft advisory.
"Based on our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks," Microsoft said in a blog post Thursday.
Researchers said that the hackers gained access to the Google network via a targeted attack, meaning that perpetrators deliberately honed in on specific victims with specially crafted e-mails that appeared to have originated from a trusted source.
"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file," McAfee said in its advisory.
During the attack, a hacker could feasibly lure victims into viewing a maliciously crafted Web site, typically through some social engineering scheme delivered via e-mail that compels users to click on an embedded infected link. An attacker could also inject an existing legitimate Web site with malicious code, which would in turn infect visitors' PCs with malware.
The malware could then infiltrate users' computers, steal information and record keystrokes.
Specifically, the IE security flaw occurs as an invalid pointer reference within the IE Web browser, and in certain situations, can make the invalid pointer accessible to hackers after an object is deleted, Microsoft said. Hackers can subsequently exploit the error to enable IE to allow remote code execution. Microsoft researchers warned users that they have thus far seen "only targeted and limited attacks" exploiting the flaw, but "have not seen attacks against other affected versions of Internet Explorer." Microsoft said that it will continue to monitor the threat and will either release a fix in a monthly update cycle or as an out-of-band patch.
However, one of those "limited attacks" happened to be against search engine giant Google. And security researchers warn that it will likely be a matter of time before users will see the attack spread more widely to other vectors as the malware infects more computers and more victims fall for the social engineering schemes.
"While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios," McAfee said. So there very well may be other attack vectors that are not known to us at this time."
Until a patch can be created and released, Microsoft advised users to keep Windows 7 and Vista on the most secure "protected mode" setting, and enable data execution prevention, designed to reduce the risk of online attacks. Microsoft also suggested that users set Internet and local intranet security zone settings to "high," which would issue prompts before running any ActiveX controls and Active Scripting, configure IE to issue security prompts before running Active Scripting, or disable Active Scripting altogether on the Internet.
"It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture," Microsot said.