Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

Summary:Microsoft's inability to fix a troublesome browser vulnerability that dates back to 2004 has come back to haunt users of its flagship Internet Explorer browser.

Microsoft's inability to fix a troublesome browser vulnerability that dates back to 2004 has come back to haunt users of its flagship Internet Explorer browser.

The vulnerability, which affects all supported editions of Microsoft Windows, is currently being used to launch "politically motivated attacks" against human rights activists, most likely in China.   Microsoft described these as "limited, targeted attacks" and Google says it is seeing attacks against users of a popular (unnamed) social site.

Here is a warning from Google's security team:

follow Ryan Naraine on twitter

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services.

Separately, Google security researcher Michal Zalewski produced a timeline that shows that Microsoft has been aware of this IE security problem since at least 2007.

Based on this 2007 advisory, it appears that a variant of this issue first appeared in 2004, and has been independently re-discovered several times in that timeframe. In 2006, the vendor reportedly acknowledged the behavior as "by design"; but in 2007, partial mitigations against the attack were rolled out as a part of MS07-034 (CVE-2007-2225). Unfortunately, these mitigations did not extend to a slightly modified attack published in the January 2011 post to the full-disclosure@ mailing list.

In the absence of a patch, it's important that IE users apply this Fix-It workaround from Microsoft.

Microsoft is also recommending that IE users:

  • Enable the MHTML protocol lockdown.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

Instructions for applying these workarounds can be found in Microsoft's advisory.

Topics: Browser, Microsoft, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.