Microsoft issued an emergency patch today blocking ongoing attacks against corporate networks that have been exploiting a vulnerability in Internet Explorer 6.
The critical update, MS10-002, addresses eight vulnerabilities. It blocks publicly available exploit code targeting a zero-day vulnerability believed to be used in the recent attacks against Google, Adobe Systems Inc., and 30 other companies. The attackers targeted users of Internet Explorer 6 running on Windows XP. The update affects all supported versions of Internet Explorer.
"Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only," said Jerry Bryant, senior security program manager at Microsoft. "Microsoft recommends customers deploy this security update as soon as possible to protect themselves against the known attacks."
Internet Explorer contains a variety of memory corruption vulnerabilities that could be exploited by an attacker who tricks users to visit a malicious Web page. The software giant said it also addressed a URL validation handling error, which could be exploited by an attacker using a malicious URL. A cross-site-scripting filter bypass vulnerability in Internet Explorer 8, which could allow disabled scripts to run resulting in information disclosure.
Microsoft said all the vulnerabilities can lead to either information disclosure or enable an attacker to take complete control of a system, install programs, view, change or delete data.
In its security advisory, Microsoft said the flaw used in a spate of attacks against corporate networks was an invalid pointer reference within Internet Explorer resulting in a memory corruption condition when exploit code forces the browser to attempt to access a freed object.
Security experts said the latest spate of attacks against corporate networks shows no new methods and little sophistication. Attacks of this nature have been ongoing for years and are a reminder that companies need to take a defense-in-depth approach and not rely solely on a specific security technology, said software security expert Roger Thornton, founder and chief technology officer of static analysis and software security vendor Fortify Software Inc. While it's nearly impossible to protect the entire corporate network from attack, tools are available to make it a lot harder for cybercriminals, Thornton said.
"If I ran a cyberwarfare unit and I wanted to get into your company, Microsoft Internet Explorer would be a vector I'd explore," Thornton said. "It's a big piece of code; Microsoft just has to make one mistake and I can get in."
Most attackers are choosing browser vulnerabilities, issues with widely-used Flash, Adobe Reader and Acrobat PDF applications, other Web interfaces and finally operating system errors, Thornton said. Attackers are also getting better at targeting individuals with savvy social engineering tactics. Most people use a social networking account and information is widely available helping cybercriminals craft convincing messages designed to trick users into visiting a website or download a file.
"Every country in the world is going to have some genuine security interest to know our secrets and I don't fault the Chinese or whoever for trying to get those secrets," Thornton said. "It kills me when these types of vulnerabilities happen to Microsoft because they really are working on the problem, but some things are slipping through."