The ongoing zero-day attacks used against an Internet Explorer zero-day vulnerability have targeted users of IE 6, an older version of the browser that doesn't contain the latest security features, Microsoft said in an update to customers on Sunday.
"Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Security organization. "We are not seeing any widespread attacks by any means and thus far we are not seeing attacks focused on consumers."
Search engine giant Google announced last week that it and other Silicon Valley technology firms were targeted in a string of sophisticated attacks. The attacks, believed to be carried out by Chinese computer hackers, use savvy social engineering techniques. The hackers send carefully worded messages tricking victims into clicking on links to attack websites or opening attachments containing malware. Adobe Systems Inc. and Juniper Networks Inc. have also publicly acknowledged they too had been targeted by similar attacks.
Ongoing sophisticated corporate cyberattacks:
Hackers used IE zero-day in Google, Adobe attacks, McAfee says: The recent targeted attacks against Google, Adobe and possibly dozens of other firms used an unpatched vulnerability in Internet Explorer, according to researchers at McAfee.
Microsoft issues advisory on Internet Explorer zero-day: Targeted attacks against Google, Adobe and other firms used a hole in Internet Explorer. The flaw affects nearly all versions of the browser.
Since then, The Wall Street Journal, citing unidentified security experts, identified Symantec Corp. and Northrop Grumman Corp. as companies that were also targeted. Both firms have declined to confirm the specific attack. Meanwhile, the newspaper said a Dow Chemical Co., spokesperson confirmed that the company had been contacted by federal law enforcement agencies regarding cyberattacks.
Microsoft's Stathakopoulos said the software giant was actively monitoring the threat landscape through its broad telemetry system. Engineers are also working on a patch which could be released as an emergency out-of-band update. Until an update is released, companies are being urged in a Microsoft security advisory to set intranet security zone settings to high, configure Internet Explorer to prompt before running active scripting and enable Data Execution Protection. Stathakopoulos reiterated that the ongoing attacks do not appear to be targeting consumers.
Meanwhile security experts say the kind of cyberattacks being carried out are not new, but the way in which the attackers conduct surveillance on a target and gather information to concoct a savvy social engineering campaign against victims is what makes the attacks unique. Mikko Hyppönen, chief research officer at F-Secure Corp. Hyppönen said that while his firm sees more than a dozen attacks of this nature each month, the careful use of language and perfect grammar as well as other ways in which email messages are worded seem to easily trick victims.
In an announcement on Thursday, antivirus vendor McAfee said it's researchers discovered the IE zero-day vulnerability during an analysis of malware used in the attacks. Dubbing the attacks, "Operation Aurora," George Kurtz, chief technology officer of McAfee said the current malware being analyzed is more sophisticated and designed to steal data and even modify it without detection.
"These attacks have demonstrated that companies of all sectors are very lucrative targets," Kurtz wrote on his Security Insights blog. "Many are highly vulnerable to these targeted attacks that offer loot that is extremely valuable: intellectual property."