Hackers attack Google using Microsoft security hole

Microsoft continues to investigate the first zero-day exploit of 2010 surrounding Internet Explorer.

The company issued a security advisory encompassing various IE versions on Thursday. According to the advisory, IE has a vulnerability that can enable remote code execution attacks. The flaw stems from an "invalid pointer reference" in the Web browser.

Most versions of IE have the vulnerability. IE 6 Service Pack 1 on Microsoft Windows 2000 SP4 has the bug. Moreover, the flaw exists in IE 6, IE 7 and IE 8 on supported editions of Windows XP, Vista and Windows 7, plus Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

Antivirus software company McAfee claimed discovery of the bug earlier in the week. McAfee described the hacking operation as "operation aurora," claiming that hackers were attempting to use the IE vulnerability and social engineering techniques to steal intellectual property from Google and other companies.

Google disclosed that it was attacked on Tuesday. On Thursday, Microsoft's security team confirmed that the hackers had used the flaw in IE to try to steal information from Google and other companies.

"Based on our investigations into these attacks, as well as the investigations of others, we recently became aware that a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies," wrote Mike Reavey, Microsoft's director of security response, in a blog post.

The name "aurora" was apparently the file-path handle hackers used for their invalid pointer reference attack, according to McAfee's blog. The attack appears to require the diversion of a user to a malicious Web page, perhaps through an e-mail link. It can be triggered via a Web page's banner ad or hypertext link, according to McAfee. The idea is for users to download and run executable malware that may help attackers access a network.

"It's hard to imagine a cyber breach with bigger ramifications than this one unless it involved some infrastructure capacity," said Andrew Storms, director of security at nCircle. "The scope and the targeting of this breach should grab not just the IT manager's attention but every CEO's attention."

Microsoft said in its advisory that it was aware of limited but "active attacks attempting to use this vulnerability against Internet Explorer 6." Attacks against other IE versions have not been seen so far, according to Microsoft. Nevertheless, the company plans to "continue to monitor the threat environment and update this advisory if this situation changes."

More such attacks may be seen throughout this year.

"I think we're going to see these types of attacks again and again in 2010, and since this has potential ties to the well-publicized attacks reported earlier in the week to Google, it's imperative that businesses take quick action to protect themselves," said Michael Sutton, vice president of security research at Zscaler.

Microsoft suggested that configuring IE's Internet zone security setting to "high" will protect users from the vulnerability mentioned in this latest advisory. Adjusting the zone setting in IE will serve as a workaround until Microsoft comes up with another monthly patch or specific hotfix.

About the Author

Jabulani Leffall is a journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.