Versions of the browser from Internet Explorer 6 through to the latest version, 8, are affected, according to Microsoft. The vulnerability focuses on an invalid pointer reference, which can be accessed after a software object has been deleted. The vulnerability could be exploited by hosting a maliciously crafted website, it said. An attacker could gain the same access as the local user, again illustrating the dangers of running in administrative mode on (pre-Vista) versions of Windows that do not support user access control.
McAfee's CTO George Kurtz said that the IE flaw was used in the targeted attacks on technology companies, which he called "Operation Aurora", based on a computer filepath used in the attack.
"These highly customized attacks known as 'advanced persistent threats' (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior," he said. "They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered – it is too late."
"At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6," said Microsoft, in a security advisory published yesterday, adding that attacks against other versions of the browser had not surfaced yet. It has not ruled out an out-of-band patch.
Google was among several technology companies hit by these attacks at the turn of the year. They were designed to steal intellectual property, the search engine giant said, and also targeted the Gmail accounts of Chinese human rights activists.