Microsoft admits IE was used in Google attacks

Tuesday 19 January 2010 | By Heidi Scott, Gosh! Media Copywriter

Tags: Google, IE, Microsoft, Privacy, Security

US software giant Microsoft has admitted that its Internet Explorer browser was used in the recent attacks on Google's networks that originated in China.

In a blog post on Thursday last week, Microsoft conceded that a vulnerability in IE was used to allow hackers to run programmes remotely on infected computers. The company's Director of Security Response, Mike Reavey, said in the post, "Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks."

Following the attacks in mid-December, Google recently threatened to end its operations in China and also refused to continue to censor its search results in the country. Security firm McAfee told news agency AFP that the attacks on Google showed a level of sophistication above that typical of isolated, cyber criminal activity.

Microsoft said it had "not seen widespread customer impact", but rather "targeted and limited attacks exploiting Internet Explorer 6". The corporation has released preliminary guidance (Security Advisory 979352) to mitigate the problem and is working on a formal software update.

Mr Reavey's post continued, "Unfortunately cyber crime and cyber attacks are daily occurrences in the online world. Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity. We will continue to work with Google, industry leaders and the appropriate authorities to investigate this situation."

The blog post also contained a general warning to businesses and specific advice on security settings:

"It is important to note that complex attacks targeting specific corporate networks are becoming more prevalent in the threat landscape, therefore organizations should follow defense-in-depth best practices, and deploy multiple layers of protection to improve their security posture. In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user's machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions. Customers can also set Internet and Local intranet security zone settings to 'High' to prompt before running ActiveX Controls and Active Scripting in these zones or configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone."

In a post on the 'Satisfy Me' blog of M3 Sweatt (Chief of Staff of the Windows Core Operating System Division at Microsoft), the software company outlines which versions of Internet Explorer are vulnerable:

"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

The blog goes on to explain that attackers must still convince victims to click through to a bogus site:

"In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site."

Back to industry news