IE zero-day flaw being used to hijack Gmail accounts

A newly announced Internet Explorer zero-day exploit is apparently being used to hijack the accounts of a number of Gmail users. ZDNet.com reports that both Microsoft and Google have sent out their own security advisories about this issue. The exploit works just by an IE user surfing over to an infected website.

According to Microsoft's statement:

An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.

While there is no patch yet for this issue, Microsoft does offer a tool that will block this exploit from being used. This exploit is apparently the same one that Google referenced in a recent security blog post where it warned Gmail users that their email boxes could be the subject of "state-sponsored attacks."  Google also said that Gmail users who might be the victim of these attacks would see a message similar to the one above.

Source: ZDnet.com | Image via Google

Report a problem with article
Previous Story

New Tomb Raider game doesn't have a rape scene, says developers

Next Story

AMD to integrate ARM chip in upcoming AMD processors

23 Comments

Commenting is disabled on this article.

Osiris said,
...wonders if 'state sponsored' attacks is the new buzz words for anything that goes wrong now...

... or maybe it's really state sponsored.

These things that are actually out in the wild already should be patched faster in my opinion. Google found it on June 5, Microsoft already had the KB pages up two days ago. This should have been pushed over Windows Update by now really.

I do commend Google for mentioning it is state-sponsored. Perhaps these things will make people think twice when they say things like Wikileaks are evil.

Ambroos said,
These things that are actually out in the wild already should be patched faster in my opinion. Google found it on June 5, Microsoft already had the KB pages up two days ago. This should have been pushed over Windows Update by now really.

I do commend Google for mentioning it is state-sponsored. Perhaps these things will make people think twice when they say things like Wikileaks are evil.


While this is a zero day, I really do not want Microsoft to pull and Apple and rush an update out that BSOD's thousands of machine. Do you really think they would rush an update out in 2 days to millions of Windows machines? Can you imagine what would happen if there was not enough testing done and it crashed over half of them?

Ambroos said,
These things that are actually out in the wild already should be patched faster in my opinion. Google found it on June 5, Microsoft already had the KB pages up two days ago. This should have been pushed over Windows Update by now really.

it usually takes a whole week to MS just to test a security update and make sure it doesn't cause regressions (because MS supports 5 versions of IE on dozen of OS/service packs/architectures/language, and because every update has to be tested against thousands of popular software to make sure that it breaks nothing).

Patching immediately isn't possible. But as least, there are already 2 solutions to block this flaw:
-apply a temporary fix
-or use Microsoft EMET.

Antiviruses can also block known exploits before they are executed.

link8506 said,

it usually takes a whole week to MS just to test a security update and make sure it doesn't cause regressions (because MS supports 5 versions of IE on dozen of OS/service packs/architectures/language, and because every update has to be tested against thousands of popular software to make sure that it breaks nothing).

Patching immediately isn't possible. But as least, there are already 2 solutions to block this flaw:
-apply a temporary fix
-or use Microsoft EMET.

Antiviruses can also block known exploits before they are executed.

I'm going to add that MS has released patches that did cause issues but they usually pull them the same day the issue is reported and verified.

warwagon said,


While this is a zero day, I really do not want Microsoft to pull and Apple and rush an update out that BSOD's thousands of machine. Do you really think they would rush an update out in 2 days to millions of Windows machines? Can you imagine what would happen if there was not enough testing done and it crashed over half of them?


Microsoft already do that. If an issue is critical enough they will release a patch in under 24 hours. It will come with a warning saying that the patch has had limited testing and end users should beware.

KomaWeiß said,
I thought almight IE was secure? /sarcasm

It is.
But every software has flaws, althought IE has much fewer flaws than other browsers, and by several factors! (webkit has had as much as 5x more flaws than IE for example)

since Firefox has now only 19% marketshare, most interesting targets are much more likely to use IE, and that's why governments are buying 0day IE flaws to "security research" companies (for example, Vupen has declared that they have working exploits for chrome, Firefox, IE up to ie9, and safari/osx and they sell them to government agencies).

btw, currently IE10 is the only browser that has never been exploited, thanks to its new sandbox (more secure than chrome that has been exploited several times).

And concerning this 0day flaw, I guess the exploit doesn't work on ie9 or ie8/vista/7. Unfortunately there aren't much details in the security bulletin. The flaw exists in every version of IE, but the exploit probably doesn't work on every IE version.

Beyond Godlike said,
EVERYONE should be using strong password + Google Authenticator/2-step verification to prevent stuff like this.

Or just don't use IE...

simplezz said,

Or just don't use IE...

Yeah right.
Let's all use a browser with less market share but with more security flaws, that will sure be enough to protect people from targeted attacks
/s

For your information, some security firms knows 0days exploits for chrome, Firefox, safari, ie6 to 9, and probably even opera too (although they never mention opera, it is as easy to exploit as Firefox since it has no security sandbox)

As far as I know, no one has yet created any exploit working on ie10 with enhanced protected mode.

link8506 said,

Yeah right.
Let's all use a browser with less market share but with more security flaws, that will sure be enough to protect people from targeted attacks
/s

For your information, some security firms knows 0days exploits for chrome, Firefox, safari, ie6 to 9, and probably even opera too (although they never mention opera, it is as easy to exploit as Firefox since it has no security sandbox)

As far as I know, no one has yet created any exploit working on ie10 with enhanced protected mode.

Yeah right. You seem to not understand Open Source, if there is a problem, anybody could fix it within a matter of minutes. But with Microsoft's closed source, you are at their mercy. I swear, I don't understand why anybody would want to be at the mercy of a single company, especially one that has been proven to be a monopoly and practices immoral behavior. But whatever....

Mike Frett said,

Yeah right. You seem to not understand Open Source, if there is a problem, anybody could fix it within a matter of minutes. But with Microsoft's closed source, you are at their mercy. I swear, I don't understand why anybody would want to be at the mercy of a single company, especially one that has been proven to be a monopoly and practices immoral behavior. But whatever....

Yeah Microsoft is evil ... bla bla bla.

I know what open source is, and it doesn't guarantees fast patch time (both google and Mozilla take months to patch privately reported vulnerabilities).

Concerning 0day flaws, It would be stupid to assume that users are gonna patch the hole themselves just because they have access to the source code.

And in the current situation, MS has been fast at releasing a temporary patch, instead of rushing to release a buggy patch like some other browser vendor do.

Mike Frett said,

Yeah right. You seem to not understand Open Source, if there is a problem, anybody could fix it within a matter of minutes.

As a developer myself, I've never understood that argument. Open source has never benefited me in that way--ever. I'm not going to take the time to fix something in someone else's product; I've got enough of my own **** to look after. And once a fix is out, I'm going to get it from the official sources anyway, not some random schmuck off the internet who claims he "fixed it himself".

So while you can go with your theory that "anyone can fix it", the reality is, it's going to end up being someone who's already pretty deeply involved in that project anyway.