Gmail accounts targeted by ‘state-sponsored attackers’ using Internet Explorer zero-day vulnerability

Internet Explorer zero-day being used by 'state-sponsored attackers' to hijack Gmail accounts

IE and GmailBoth Google and Microsoft have put out alerts about an unpatched, zero-day hole in Internet Explorer that didn’t get fixed on Patch Tuesday and is actively being exploited in the wild.

According to ZDNet, those attacks are apparently being launched by the “state-sponsored attackers” that Google warned Gmail users about last week.

Neither Google nor Microsoft referred to those state attackers in their respective security warnings. ZDNet attributed that particular detail to a source it said was “close to these investigations”.

This source confirmed to ZDNet that the attacks motivated Google to warn Gmail users last week about the attackers.

As ZDNet pointed out, Gmail users have been reporting on Twitter that they’ve been hit by the Gmail warning.

Google security engineer Andrew Lyons wrote in the company’s security blog that Google reported the vulnerability to Microsoft on May 30 and that the two companies have been working on the problem since.

He wrote on Tuesday:

Today Microsoft issued a Security Advisory describing a vulnerability in the Microsoft XML component. We discovered this vulnerability - which is leveraged via an uninitialized variable - being actively exploited in the wild for targeted attacks.

Lyons said that the attacks are spreading both from malicious web pages set up to snare Internet Explorer users and through Office documents.

Users running any flavor of supported Windows are vulnerable, from XP onwards up to and including Windows 7. All supported editions of Microsoft Office 2003 and Microsoft Office 2007 are also vulnerable.

The hole hasn’t been stitched up yet, but Microsoft is suggesting a workaround that will help prevent it from being exploited.

Microsoft Fix itMicrosoft’s security advisory recommends that IE and Office users immediately install a Fix it solution, downloadable with instructions from Microsoft Knowledge Base Article 2719615, until the company gets the final fix out.

The vulnerability crops up when Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0 try to access an object in memory that hasn’t been initialized, which can corrupt memory such that an attacker could execute arbitrary code on a hijacked machine.

A victim would have to visit a maliciously crafted site using IE to suffer an attack. An attacker might lure users into visiting a boobytrapped site by enticing them to click on a link in an email or via messaging.

A successful attack grants the intruder the same user rights as the logged-on user. Therefore, a mitigating factor is to configure accounts with fewer rights, as opposed to operating with administrative user rights.

Microsoft noted that by default, IE on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode known as Enhanced Security Configuration. That also mitigates the vulnerability.

As far as bolting down Gmail goes, Sophos’s Graham Cluley has a collection of tips on how to stop your Gmail account from getting hacked.

Gmail login screenIt’s definitely worth a read. Here’s a quick cheat-sheet; Graham gives you more detail on these items in his article:

OK, that last one’s not a tip, per se, but it’s food for thought if you are, in fact, important enough that a state would want to attack your Gmail account.

If you are, think twice about using a free web email provider for sensitive information. If you’re working for the government or the military, like Graham said, put all that sensitive information on secure systems instead.

Hairy spider image, courtesy of Shutterstock.