Gmail accounts targeted by 'state-sponsored attackers' using Internet Explorer zero-day vulnerability

Filed Under: Featured, Google, Internet Explorer, Malware, Microsoft, Privacy, Vulnerability, Windows

IE and GmailBoth Google and Microsoft have put out alerts about an unpatched, zero-day hole in Internet Explorer that didn't get fixed on Patch Tuesday and is actively being exploited in the wild.

According to ZDNet, those attacks are apparently being launched by the "state-sponsored attackers" that Google warned Gmail users about last week.

Neither Google nor Microsoft referred to those state attackers in their respective security warnings. ZDNet attributed that particular detail to a source it said was "close to these investigations".

This source confirmed to ZDNet that the attacks motivated Google to warn Gmail users last week about the attackers.

As ZDNet pointed out, Gmail users have been reporting on Twitter that they've been hit by the Gmail warning.

Google security engineer Andrew Lyons wrote in the company's security blog that Google reported the vulnerability to Microsoft on May 30 and that the two companies have been working on the problem since.

He wrote on Tuesday:

Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability - which is leveraged via an uninitialized variable - being actively exploited in the wild for targeted attacks.

Lyons said that the attacks are spreading both from malicious web pages set up to snare Internet Explorer users and through Office documents.

Users running any flavor of supported Windows are vulnerable, from XP onwards up to and including Windows 7. All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable.

The hole hasn't been stitched up yet, but Microsoft is suggesting a workaround that will help prevent it from being exploited.

Microsoft Fix itMicrosoft's security advisory recommends that IE and Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company gets the final fix out.

The vulnerability crops up when Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 try to access an object in memory that hasn't been initialized, which can corrupt memory such that an attacker could execute arbitrary code on a hijacked machine.

A victim would have to visit a maliciously crafted site using IE to suffer an attack. An attacker might lure users into visiting a boobytrapped site by enticing them to click on a link in an email or via messaging.

A successful attack grants the intruder the same user rights as the logged-on user. Therefore, a mitigating factor is to configure accounts with fewer rights, as opposed to operating with administrative user rights.

Microsoft noted that by default, IE on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode known as Enhanced Security Configuration. That also mitigates the vulnerability.

As far as bolting down Gmail goes, Sophos's Graham Cluley has a collection of tips on how to stop your Gmail account from getting hacked.

Gmail login screenIt's definitely worth a read. Here's a quick cheat-sheet; Graham gives you more detail on these items in his article:

OK, that last one's not a tip, per se, but it's food for thought if you are, in fact, important enough that a state would want to attack your Gmail account.

If you are, think twice about using a free web email provider for sensitive information. If you're working for the government or the military, like Graham said, put all that sensitive information on secure systems instead.


Hairy spider image, courtesy of Shutterstock.

, , , , , , , , , , , ,

You might like

11 Responses to Gmail accounts targeted by 'state-sponsored attackers' using Internet Explorer zero-day vulnerability

  1. Nola · 861 days ago

    So ehen did google warn us? I received no warning.

    • They warned you really quietly. Don't want to scare the masses, after all, else there'll be less in ad sales.

    • PrestonReid · 859 days ago

      If i understood correctly, This was not for all gmail users and googled gave a warning to those who may have been in jeperdy.

      First my LinkedIn account, now my gmail?! How will I ever survive with all these shotty, free services! But wait, Fb is publicly traded now....meh, even if I buy stock Fb is going to copy apple and not listen to me. Illjust be a webhipster and pay for local services so there are people I can complain to.

    • Martin · 859 days ago

      Aye I too didn't receive a warning either

    • mack · 859 days ago

      I received no warning from Google either.

    • Lucas · 856 days ago

      They probably think that if you use IE then you aren't smart enough to digest the warning.

  2. Internaut · 860 days ago

    Who would use a webmail account unless registering for a one-time junk gin-mill account somewhere; such as 'FREE trial' 'free newsletter' free anything and it's - give us your email so we can spam you'.

    We seem to be spending more time and money protecting ourselves than there is value in the product - Internet. Webmail just adds to the grief.

    But, I'm glad Sophos is around to help. Go Lisa!

  3. Robert Wurzburg · 860 days ago

    For more information, please refer to this Advisory from Microsoft:
    http://technet.microsoft.com/en-us/security/advis...

    Be careful what you click on and where your browser goes!

  4. AC · 859 days ago

    So . . . the easiest fix would be to install and use Firefox?

    • David · 858 days ago

      or Chrome or other browser as long as it isn't Internet Explorer, and remember not use Microsoft Office 2003-2007 until it's fixed.

  5. David · 858 days ago

    It seems to be more of an issue that one has Microsoft products installed on their computer than a Google/Gmail problem. Why not ask why one is using Microsoft products instead of other options since IE and MS Office are what initiate the vulnerability for the malicious code to run? I'm sure that another code could be used in place of the one mentioned in this article that would allow extraction of other personal data from a computer using those Microsoft products.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.