Microsoft released its emergency, out-of-band patch Thursday repairing eight flaws, including a critical zero-day vulnerability in Internet Explorer, following a Chinese cyber attack on the Google network earlier this month.
Microsoft confirmed last week that the massive IE vulnerability was used as an entry point for attackers to launch a malicious cyber attack on Google, in addition to more than 30 other companies. Thus far, Microsoft researchers say they have only seen limited and targeted attacks that have exploited holes in the aging IE 6. However, recently reports have circulated indicating that proof-of-concept code was also created exploiting the same vulnerability on IE 7, as well as Windows XP and Windows Vista.
Despite the widespread publicity and concern, experts contend that this IE zero-day is no different than any other IE flaw -- except that this particular vulnerability was used in an attack allegedly from China on search engine giant Google. The high profile attack subsequently galvanized Microsoft to accelerate the release of the IE patch.
Andrew Storms, director of security operations for security company nCircle, said that Microsoft already knew about the IE flaw and was prepared to release the patch in February. Microsoft sped up the patch when attackers found the exploit code and started using it to attack Google, he said.
"If we took out the saga with Google, which supposedly China sponsored, this probably would have been like any other ordinary zero-day," Storms said. "When we get a large company like Google that has a large footprint on the Internet, they have a lot of sway with the public mentality. It causes quite a big stir, and Microsoft probably took the brunt of that."
The patch is a cumulative fix repairing a total of eight vulnerabilities -- seven private and one public -- in IE. Specifically, the IE bug could allow a remote attacker to take complete control of a PC by installing malware known as a Trojan horse. Users could become infected by clicking on a malicious link while running IE Web browser, usually delivered on e-mail through a social engineering scheme.
The attack targeting the Google network was likely used to gather information around intellectual property, Storms said. However, for many victims, the malware would be used to steal information and record keystrokes in order to obtain credit card, bank account, and other personally identifying information.
Microsoft recommends that users patch the IE flaw as soon as possible in order to protect their systems from attack. However, Storms added that the heightened publicity would likely compel more users to patch their systems than during a typical security update release.
"A lot of people are aware of it and will patch it pretty quickly," he said. "That's going to close the loophole."
