A patch is coming, Microsoft promises

Jan 15, 2010 13:44 GMT  ·  By

Microsoft has acknowledged that a Critical zero-day vulnerability in Internet Explorer was one of the vectors leveraged in the recent attacks against Google from China. The Mountain View-based search giant has reacted extremely strong in the aftermath of Chinese-based hacking attempts directed at its Gmail infrastructure and targeting the email accounts of human rights activists, by announcing that it would no longer censor results in Google.cn and considering even pulling out of China altogether. However, a host of additional U.S. companies were also attacked, including Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical.

While confirming that a security hole in Internet Explorer was at the base of the exploits, Microsoft noted that it was working on providing a patch as fast as possible. For the time being however, the Redmond company has published a security advisory designed to allow customers to fend for themselves against similar targeted and sophisticated attacks as the ones Google faced, until a security update will be provided.

“Microsoft continues to work with Google, other industry partners and authorities to actively investigate this issue. To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6,” revealed Mike Reavey, director, Microsoft Security Response Center.

According to information provided by the Redmond company, the following releases of IE are potentially vulnerable to attacks: Internet Explorer 6 SP1 on Windows 2000 SP4, and IE6, IE7 and IE8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

“To exploit, an attacker could host a specially crafted Web site, or take advantage of a compromised website, and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these malicious Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message, that directs users to the attacker's Web site. It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems,” Reavey explained.

Microsoft Security Advisory (979352) is a critical resource for companies and customers that might think they could be at risk. In this regard, under the Suggested Actions section, the Redmond company has documented a few workarounds, including: Seting Internet and Local intranet security zone settings to "High" to prompt before running ActiveX Controls and Active Scripting in these zones; Configuring Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone; and enabling DEP for Internet Explorer 6 Service Pack 2 or Internet Explorer 7.