New attacks leverage unpatched IE flaw, Microsoft warns

Microsoft has released a Fixit tool users can download to repair the problem, but has not said if it will push out a comprehensive security update

An Internet Explorer flaw made public two months ago is now being used in online attacks.

The flaw, which has not yet been patched, has been used in "limited, targeted attacks," Microsoft said Friday in an update to its security advisory on the issue.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

Google concurred, and offered a few more details. "We've noticed some highly targeted and apparently politically motivated attacks against our users," Google said in blog post. "We believe activists may have been a specific target. We've also seen attacks against users of another popular social site."

The attack is triggered when the victim is tricked into visiting a maliciously encoded Web page -- what's known as a Web drive-by attack. It gives the attacker a way of hijacking the victims browser and accessing Web applications without authorization.

The flaw lies in the Windows MHTML (Mime HTML) parsing software used by Internet Explorer, and affects all currently supported versions of Windows. It was disclosed on the Full Disclosure mailing list in January.

Microsoft has released a Fixit tool that users can download to repair the problem, but has not said when, or even if, it plans to push out a comprehensive security update to all users.

Google isn't saying who exactly was targeted in this latest incident, but Chinese activist groups have been the focus of cyber attacks in the past. This may be another example of an ongoing and methodical effort to track and steal information from pro-democracy and Tibetan activists.

Now that the flaw is being exploited in attacks, the pressure is mounting on Microsoft to produce a reliable patch for the issue that can be pushed out to hundreds of millions of customers.

"For now, we recommend concerned users and corporations seriously consider deploying Microsoft's temporary Fixit to block this attack until an official patch is available," Google said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's email address is robert_mcmillan@idg.com.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies