A zero-day vulnerability in Internet Explorer was used by hackers in a recent spate of targeted attacks against Google, Adobe and other firms, according to an advisory issued by Microsoft late Thursday.
The software giant said it was cooperating with Google and other companies and providing information to investigators. The remote code execution vulnerability affects nearly all supported versions of IE running on nearly every version of Windows. IE 5.01 on Windows 2000 is not affected.
"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time," Mike Reavey, the group manager at the Microsoft Security Response Center wrote on the MSRC blog. "Our teams are currently working to develop an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution."
Attacks targeting specific corporate networks are becoming more prevalent, Reavey said, urging enterprises to deploy multiple layers of defenses to improve their security posture. Google and Adobe acknowledged in separate messages this week that their corporate systems had been targeted by hackers who used sophisticated social engineering tactics. McAfee said its researchers discovered the IE zero-day vulnerability during an analysis of the malware used in the attacks.
In its advisory, Microsoft said customers could mitigate the threat posed by the IE zero-day flaw by setting local intranet security zone settings to high and using protected Mode in IE 7 on Windows Vista and later. The higher security zone setting makes the browser check with the user before running ActiveX Controls and Active Scripting. In addition, Data Execution Prevention (DEP) can be enabled to help mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions, Reavey said.
"The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted.," Microsoft said in its advisory. "In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."
The flaw is exploited by setting up specially crafted content on an attack website. Microsoft said the attacker would have to get the user to visit the website by tricking them into clicking on a link within an email message.
"It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," Microsoft said.