New attacks leverage unpatched IE flaw, Microsoft warns

Google disclosed the Internet Explorer bug in January, but it's now being used in targeted attacks

An Internet Explorer flaw made public by a Google security researcher two months ago is now being used in online attacks.

The flaw, which has not yet been patched, has been used in "limited, targeted attacks," Microsoft said Friday in an update to its security advisory on the issue.

Google concurred, and offered a few more details. "We've noticed some highly targeted and apparently politically motivated attacks against our users," Google said in blog post. "We believe activists may have been a specific target. We've also seen attacks against users of another popular social site."

The attack is triggered when the victim is tricked into visiting a maliciously encoded Web page -- what's known as a Web drive-by attack. It gives the attacker a way of hijacking the victims browser and accessing Web applications without authorization.

The flaw lies in the Windows mshtml.dll software library used by Internet Explorer, and affects all currently supported versions of Windows.

Microsoft has released a Fixit tool that users can download to repair the problem, but has not said when, or even if, it plans to push out a comprehensive security update to all users.

The bug has been a bone of contention between Google and Microsoft. On January 1, Google engineer Michal Zalewski released a hacking tool that could be used to find the bug, along with some technical details, saying that he was concerned that Chinese hackers may have already discovered the problem. He said that he warned Microsoft about the flaw back in July. Microsoft maintains that it was unable to reproduce the problem until December.

Google isn't saying who exactly was targeted in this latest incident, but Chinese activist groups have been the focus of cyber attacks in the past. This may be another example of an ongoing and methodical effort to track and steal information from pro-democracy and Tibetan activists.

Zalewski referred an inquiry to Google's public relations team, which declined to comment further on the matter.

Now that the flaw is being exploited in attacks, the pressure is mounting on Microsoft to produce a reliable patch for the issue that can be pushed out to hundreds of millions of customers.

"For now, we recommend concerned users and corporations seriously consider deploying Microsoft's temporary Fixit to block this attack until an official patch is available," Google said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsGoogleMicrosoftsecuritybrowserssoftwareExploits / vulnerabilities

More about GoogleIDGMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts