The attack on Google in China was possible due to a zero-day vulnerability on Internet Explorer.
Microsoft said that the vulnerability exists as an invalid pointer reference within Internet Explorer. It said that it is possible, under certain conditions, for the invalid pointer to be accessed after an object is deleted.
In a specially crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Microsoft said that it was aware of ‘limited, active attacks attempting to use this vulnerability against Internet Explorer 6', but had not seen attacks against other affected versions of Internet Explorer.
It said: “We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
In a web-based attack scenario, an attacker could host a website that contains a web page that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.
Microsoft said that in all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email or Instant Messenger message that takes users to the attacker's website.
Microsoft said that its investigation showed that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 are affected.
Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected.
In what it calls ‘Operation Aurora', as ‘Aurora' was used as part of the file path in the attacks, George Kurtz, CTO of McAfee, said: “As with most targeted attacks, the intruders gained access to an organisation by sending a tailored attack to one or a few targeted individuals.
“We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That's when the exploitation takes place, using the vulnerability in Microsoft's Internet Explorer.
“Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system. The attacker can now identify high value targets and start to siphon off valuable data from the company.”
Michael Sutton, vice president of security research at Zscaler, said: “Targeted, web-based attacks can be a powerful tool for criminals. Zero-day attacks that impact popular software such as Internet Explorer affect virtually every organisation.
“When vulnerabilities such as these emerge, rapid deployment of protections is absolutely critical.”