'State-sponsored attackers' using IE zero-day to hijack GMail accounts

'State-sponsored attackers' using IE zero-day to hijack GMail accounts

Summary: Microsoft's advisory speaks of "active attacks" and follows a separate note from Google that references the IE flaw "being actively exploited in the wild for targeted attacks."

SHARE:
TOPICS: Security
85

Microsoft and Google have separately warned about a new Internet Explorer zero-day being exploited to break into GMail accounts.

The browser flaw, which is currently unpatched, expose Windows users to remote code execution attacks with little or no user action (drive-by downloads if an IE users simply surfs to a rigged site).

Microsoft's advisory speaks of "active attacks" and follows a separate note from Google that references the IE flaw "being actively exploited in the wild for targeted attacks."

A source close to these investigations confirm that these attacks prompted Google's recent decision to warn GMail users about "state-sponsored attackers."

On Twitter (see image), several users have publicly reported seeing the message atop their GMail inboxes.

Microsoft's explanation of the issue:follow Ryan Naraine on twitter

The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

The vulnerability exists when MSXML attempts to access an object in memory that has not been initialized, which may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the logged-on user.

Patch Tuesday: Microsoft raises alert for dangerous IE, Windows flaws ]

In the absence of a patch, the company has shipped a "Fix-It" tool that blocks the attack vector for this vulnerability. See Microsoft Knowledge Base Article 2719615 for instructions on applying the automated tool.

Microsoft also recommends that Windows users deploy the Enhanced Mitigation Experience Toolkit (EMET), which helps prevent vulnerabilities in software from successfully being exploited.

Internet Explorer users can also configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone. These mitigations can be found in the "Suggested Actions" of Microsoft's pre-patch advisory.

Internet Explorer users should keep in mind that this vulnerability is different from another under-attack issue fixed yesterday with the MS12-037 bulletin.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • So we can't blame Adobe or Java this time?

    Shucks.
    HypnoToad72
    • why not blame yourself

      for clicking the link and visiting this specially crafted web-page.
      pupkin_z
      • Because your favorite site can also be hacked to serve malware.

        Even the US Treasury has been guilty of this:
        h-t-t-p : // www.computerworld.com /s/article/9176278/US_Treasury_Web_sites_hacked_serving_malware

        So it's not as simple as never visiting a site called (e.g.) www.malware.evil.
        Zogg
      • Zogg: that can't be true

        DeRSSS swears that as long as we avoid going to any "weird" (his word, not mine) sites then we are safe. Oops, I forgot, that only applies to OS X. The rules are different when it comes to Windows. Flashback didn't matter because only people who navigated to "weird" sites were affected. This counts though, presumably because OS X malware can't be hosted by "normal" sites but Windows malware can.
        toddbottom3
      • Yes, compromised servers matter

        Compromised servers are an important part of the malware ecosystem. The US Treasury websites that were compromised in 2010 were outsourced to a web provider, and running Apache/Unix. Either an attacker used a zero day exploit or the web service provider used by the US Treasury failed to keep its servers well configured and patched.

        The problem with chains of trust is that they can be broken in multiple places. Successful server attacks are arguably even more of a problem than client attacks, because no matter how careful end users are, if servers owned by organisations they trust have been compromised, they will be vulnerable themselves. Sometimes attackers don't even need client-side exploits, only to compromise a server that serves trusted source code or executable code. This has happened, for example, with successful attacks on servers used by Linux distributors, e.g. the Debian GNU/Linux project.
        WilErz
      • @ toddbottom3

        Good news for Apple users. No Internet Explorer on OS X!

        Get your pills, man :)
        danbi
      • @WilErz

        >> to a web provider, and running Apache/Unix. Either an attacker used a zero day exploit or the web service provider used by the US Treasury failed to keep its servers well configured and patched.
        Tell us about exploited vulnerabilities of Apache/Unix, since you're the only one having this information.
        Ever heard of sql injection? weak ssh/password policy?
        >>This has happened, for example, with successful attacks on servers used by Linux distributors, e.g. the Debian GNU/Linux project.
        Submitting a link for this to substantiate the claim and explain what exactly you meant by that.

        Very well done talking about this when we are witnessing apprearance of Windows malware #23242209.....
        eulampius
    • Nope, we can't but Todd will blame

      Apple for this. That guy/gal/it is desperate! :-)

      That's a joke TB3, don't take it to heart!! ;-)
      T-Wrench
    • Better yet, Linux

      @danbi:
      Good news for Linux users, no IE or Safari!
      ;-}
      aroc
  • Does Microsoft plan to issue an out-of-band patch for this vulnerability?

    nt
    Rabid Howler Monkey
    • From the security advisory linked in the article ...

      "Upon completion of our investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
      1773
    • Guess what?

      It doesn't affect IE10 on Windows 8 :-)
      bvonr@...
      • Indeed

        But it might, when Windows 8 is actually released.
        danbi
  • ANOTHER EPIC FAIL

    Ballmer's probably throwing chairs right now.
    Pete&Pete
    • How so? It's a user based exploit and according to the ZDNet forum rules...

      ...doesn't count.
      ye
      • The article says "little or no user action"

        So that's not my definition of "a user based exploit".
        Zogg
      • "user based?"

        It wouldn't be possible without the IE vulnerability.
        gtvr
      • User based, as in non system based.

        @Zogg:

        I.e. it's only a user land exploit.
        ye
      • Any many other exploits wouldn't be possible with their associated...

        @gtvr :

        ...vulnerabilities. Your point?
        ye
      • Just enough access to encrypt all of your personal files then.

        Phew! For a moment there, I thought this might be [i]serious[/i]! :|
        Zogg