Google said it is working with Microsoft to patch a hole in the Windows operating system hackers are trying to exploit to target activists, among other users.
The search engine, which called the attacks “highly targeted and apparently politically motivated,” said the perpetrator(s) abuses a known vulnerability Microsoft treated with a temporary patch in late January.
Update: Google would not reveal which activists have been targeted or the origin of the attacks.
The bug lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler on Windows XP and later Windows versions, and is exploited as a cross-site scripting attack when users surf the Web with Microsoft’s Internet Explorer browser.
An attacker could leverage the hole by writing an HTML link designed to trigger a malicious script and convince the targeted user to click it.
Microsoft issued this fix for the security flaw in January, but the flaw is being used to target political activists and even users on at least one popular social Website, Google said.
Google’s security engineers recommend users, including businesses whose computers use IE, run Microsoft’s Fixit solution on their computers to block this attack until permanent patch is available.
For its part, Google said it has set up several server-side defenses to protect users of its own Web services against the MHTML exploit.
“That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100 percent reliable or comprehensive,” Google’s security team wrote in a blog post March 11. “We’re working with Microsoft to develop a comprehensive solution for this issue.”
That Google is working directly with rival Microsoft is a testament to the seriousness of the issue. Rivalries tend to get placed on the backburner where computer security is concerned, but the joint effort certainly underscores the companies’ shared concern.
Indeed, Google said the abuse of this vulnerability represents a new quality in the exploitation of Web-level vulnerabilities. The company said such attacks previously focused on directly compromising users’ systems, as opposed to leveraging vulnerabilities to interact with Web services.