'State-sponsored attackers' using IE zero-day to hijack GMail accounts

Summary:Microsoft's advisory speaks of "active attacks" and follows a separate note from Google that references the IE flaw "being actively exploited in the wild for targeted attacks."

Microsoft and Google have separately warned about a new Internet Explorer zero-day being exploited to break into GMail accounts.

The browser flaw, which is currently unpatched, expose Windows users to remote code execution attacks with little or no user action (drive-by downloads if an IE users simply surfs to a rigged site).

Microsoft's advisory speaks of "active attacks" and follows a separate note from Google that references the IE flaw "being actively exploited in the wild for targeted attacks."

A source close to these investigations confirm that these attacks prompted Google's recent decision to warn GMail users about "state-sponsored attackers."

On Twitter (see image), several users have publicly reported seeing the message atop their GMail inboxes.

Microsoft's explanation of the issue:

follow Ryan Naraine on twitter

The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws ]

In the absence of a patch, the company has shipped a "Fix-It" tool that blocks the attack vector for this vulnerability. See Microsoft Knowledge Base Article 2719615 for instructions on applying the automated tool.

Microsoft also recommends that Windows users deploy the Enhanced Mitigation Experience Toolkit (EMET), which helps prevent vulnerabilities in software from successfully being exploited.

Internet Explorer users can also configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone. These mitigations can be found in the "Suggested Actions" of Microsoft's pre-patch advisory.

Internet Explorer users should keep in mind that this vulnerability is different from another under-attack issue fixed yesterday with the MS12-037 bulletin.

Topics: Security


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.