Several of the companies victimized in the attack that hit Google and dozens of other companies recently were compromised through the use of a new, unpatched vulnerability in Internet Explorer, experts say.
The flaw was used in a sophisticated attack that included victims receiving targeted emails with malicious attachments or links to malicious sites, which then exploited the flaw in IE. Researchers at McAfee have been working with some of the victim companies to investigate the attacks, and discovered the new IE vulnerability during the course of the investigation, according to a blog post by CTO George Kurtz.
As with most targeted attacks, the intruders gained access to an
organization by sending a tailored attack to one or a few targeted
individuals. We suspect these individuals were targeted because they
likely had access to valuable intellectual property. These attacks will
look like they come from a trusted source, leading the target to fall
for the trap and clicking a link or file. That’s when the exploitation
takes place, using the vulnerability in Microsoft’s Internet Explorer.
Once the malware is downloaded and installed, it opens a back door
that allows the attacker to perform reconnaissance and gain complete
control over the compromised system. The attacker can now identify high
value targets and start to siphon off valuable data from the company.
Our investigation has shown that Internet Explorer is vulnerable on
all of Microsoft’s most recent operating system releases, including
Windows 7.
This is the first detailed description of the methods the attackers used in at least some of the incidents, although there may have been other methods used against other victims. Google was the first to publicly disclose the attack on Tuesday, saying that its corporate network had been compromised and some intellectual property stolen. Adobe also disclosed an attack Tuesday, but has not confirmed that it was related to the same series of attacks that hit Google and more than 30 other companies.
There are reports that Microsoft may release information on the IE flaw Thursday.