Both Google and Microsoft have put out alerts about an unpatched, zero-day hole in Internet Explorer that didn’t get fixed on Patch Tuesday and is actively being exploited in the wild.
According to ZDNet, those attacks are apparently being launched by the “state-sponsored attackers” that Google warned Gmail users about last week.
Neither Google nor Microsoft referred to those state attackers in their respective security warnings. ZDNet attributed that particular detail to a source it said was “close to these investigations”.
This source confirmed to ZDNet that the attacks motivated Google to warn Gmail users last week about the attackers.
As ZDNet pointed out, Gmail users have been reporting on Twitter that they’ve been hit by the Gmail warning.
Google security engineer Andrew Lyons wrote in the company’s security blog that Google reported the vulnerability to Microsoft on May 30 and that the two companies have been working on the problem since.
He wrote on Tuesday:
Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability - which is leveraged via an uninitialized variable - being actively exploited in the wild for targeted attacks.
Lyons said that the attacks are spreading both from malicious web pages set up to snare Internet Explorer users and through Office documents.
Users running any flavor of supported Windows are vulnerable, from XP onwards up to and including Windows 7. All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable.
The hole hasn’t been stitched up yet, but Microsoft is suggesting a workaround that will help prevent it from being exploited.
Microsoft’s security advisory recommends that IE and Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company gets the final fix out.
The vulnerability crops up when Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 try to access an object in memory that hasn’t been initialized, which can corrupt memory such that an attacker could execute arbitrary code on a hijacked machine.
A victim would have to visit a maliciously crafted site using IE to suffer an attack. An attacker might lure users into visiting a boobytrapped site by enticing them to click on a link in an email or via messaging.
A successful attack grants the intruder the same user rights as the logged-on user. Therefore, a mitigating factor is to configure accounts with fewer rights, as opposed to operating with administrative user rights.
Microsoft noted that by default, IE on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode known as Enhanced Security Configuration. That also mitigates the vulnerability.
As far as bolting down Gmail goes, Sophos’s Graham Cluley has a collection of tips on how to stop your Gmail account from getting hacked.
It’s definitely worth a read. Here’s a quick cheat-sheet; Graham gives you more detail on these items in his article:
- Set up two step verification
- Check if your Gmail messages are being forwarded without your permission
- Look where your Gmail account is being accessed from
- Choose a unique, hard-to-crack password
- Secure your computer
- Why are you using Gmail anyway?
OK, that last one’s not a tip, per se, but it’s food for thought if you are, in fact, important enough that a state would want to attack your Gmail account.
If you are, think twice about using a free web email provider for sensitive information. If you’re working for the government or the military, like Graham said, put all that sensitive information on secure systems instead.
Hairy spider image, courtesy of Shutterstock.
11 comments on “Gmail accounts targeted by ‘state-sponsored attackers’ using Internet Explorer zero-day vulnerability”
So ehen did google warn us? I received no warning.
They warned you really quietly. Don’t want to scare the masses, after all, else there’ll be less in ad sales.
If i understood correctly, This was not for all gmail users and googled gave a warning to those who may have been in jeperdy.
First my LinkedIn account, now my gmail?! How will I ever survive with all these shotty, free services! But wait, Fb is publicly traded now….meh, even if I buy stock Fb is going to copy apple and not listen to me. Illjust be a webhipster and pay for local services so there are people I can complain to.
Aye I too didn’t receive a warning either
I received no warning from Google either.
They probably think that if you use IE then you aren't smart enough to digest the warning.
Who would use a webmail account unless registering for a one-time junk gin-mill account somewhere; such as ‘FREE trial’ ‘free newsletter’ free anything and it’s – give us your email so we can spam you’.
We seem to be spending more time and money protecting ourselves than there is value in the product – Internet. Webmail just adds to the grief.
But, I’m glad Sophos is around to help. Go Lisa!
For more information, please refer to this Advisory from Microsoft:
Be careful what you click on and where your browser goes!
So . . . the easiest fix would be to install and use Firefox?
or Chrome or other browser as long as it isn't Internet Explorer, and remember not use Microsoft Office 2003-2007 until it's fixed.
It seems to be more of an issue that one has Microsoft products installed on their computer than a Google/Gmail problem. Why not ask why one is using Microsoft products instead of other options since IE and MS Office are what initiate the vulnerability for the malicious code to run? I'm sure that another code could be used in place of the one mentioned in this article that would allow extraction of other personal data from a computer using those Microsoft products.