A critical zero-day flaw in Internet Explorer was exploited as part of the attack on Google and other companies, according to both Microsoft and McAfee.
The flaw allows for a Web-based attack against IE 6 SP 1 on Windows 2000, along with IE 7 and 8 on XP, Server 2003, Vista, Server 2008, Windows 7 and Windows Server 2008 R2. According to Microsoft’s security advisory, the company has only seen active attacks against IE 6 so far.
Those attacks were part of the campaign against Google, Adobe and other major companies that sought to break into the Gmail accounts of Chinese human rights activists. In response, Google has threatened to stop censoring search results on its Google.cn site, or to shut it down entirely.
The invalid pointer reference flaw allows for remote code execution, according to Microsoft, which means that viewing a malicious Web site could allow an attacker to execute any command on a vulnerable computer. Typically that would mean installing a Trojan or other malicious software. According to the bulletin, IE’s Protected Mode on Vista and later versions of Windows mitigates the threat, which could also be leveraged by a banner ad.
Setting IE’s Internet zone security to high will protect against the threat, according to Microsoft, as of course would using an alternate Web browser. Redmond says it may release an out-of-band patch for this threat outside of the normal monthly patch cycle.
Also, while antivirus maker McAfee warns that "there very well may be other attack vectors that are not known to us at this time," the company says that its investigations into the attacks "have not shown a vulnerability in Adobe Reader being a factor in these attacks." According to McAfee’s analysis, the malware that hit the IE flaw opens a back door on victim PCs, which allowed the attackers to take complete control.
A McAfee discovery of a previously unknown security hole affecting IE 6, 7 and 8 prompted the warning from Redmond.