Microsoft confirms 'targeted attacks' against old, unpatched IE vulnerability

Microsoft's inability to fix a troublesome browser vulnerability that dates back to 2004 has come back to haunt users of its flagship Internet Explorer browser.

Microsoft's inability to fix a troublesome browser vulnerability that dates back to 2004 has come back to haunt users of its flagship Internet Explorer browser.

The vulnerability, which affects all supported editions of Microsoft Windows, is currently being used to launch "politically motivated attacks" against human rights activists, most likely in China.   Microsoft described these as "limited, targeted attacks" and Google says it is seeing attacks against users of a popular (unnamed) social site.

Here is a warning from Google's security team:

follow Ryan Naraine on twitter

We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services.

Separately, Google security researcher Michal Zalewski produced a timeline that shows that Microsoft has been aware of this IE security problem since at least 2007.

Based on this 2007 advisory, it appears that a variant of this issue first appeared in 2004, and has been independently re-discovered several times in that timeframe. In 2006, the vendor reportedly acknowledged the behavior as "by design"; but in 2007, partial mitigations against the attack were rolled out as a part of MS07-034 (CVE-2007-2225). Unfortunately, these mitigations did not extend to a slightly modified attack published in the January 2011 post to the full-disclosure@ mailing list.

In the absence of a patch, it's important that IE users apply this Fix-It workaround from Microsoft.

Microsoft is also recommending that IE users:

  • Enable the MHTML protocol lockdown.
  • Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

Instructions for applying these workarounds can be found in Microsoft's advisory.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All