Google said it is working with Microsoft to patch a hole
in the Windows operating system hackers are trying to exploit to target
activists, among other users.
The search engine, which called the attacks "highly
targeted and apparently politically motivated," said the perpetrator(s)
abuses a known vulnerability Microsoft
treated with a temporary patch in late January.
The bug lies in the MHTML (MIME Encapsulation of
Aggregate HTML) protocol handler on Windows XP and later Windows versions, and is
exploited as a cross-site scripting attack when users surf the Web with Microsoft's
Internet Explorer browser.
An attacker could leverage the hole by writing an HTML
link designed to trigger a malicious script and convince the targeted user to
attacker a way to access user information stored in the browser and trick users
into installing malicious code.
Microsoft issued this fix
for the security flaw in January, but the flaw is being used to target
political activists and even users on at least one popular social
Website, Google said.
Google's security engineers recommend users, including
businesses whose computers use IE, run Microsoft's Fixit solution on their
computers to block this attack until permanent patch is available.
For its part, Google said it has set up several
server-side defenses to protect users of its own Web services against the MHTML
"That said, these are not tenable long-term
solutions, and we can't guarantee them to be 100 percent reliable or
comprehensive," Google's security team wrote in a blog post March 11. "We're working with Microsoft to develop a
comprehensive solution for this issue."
That Google is working directly with rival Microsoft is a
testament to the seriousness of the issue. Rivalries tend to get placed on the
backburner where computer security is concerned, but the joint effort certainly
underscores the companies' shared concern.
Indeed, Google said the abuse of this vulnerability represents
a new quality in the exploitation of Web-level vulnerabilities. The company
said such attacks previously focused on directly compromising users' systems,
as opposed to leveraging vulnerabilities to interact with web services.