Highly targeted, politically motivated attacks that affect all supported versions of Microsoft’s Windows operating system are being carried out on Google users, requiring the search giant to issue a bulletin warning those who use its services.
Attacks on Google users utilise an unpatched MHTML vulnerability that, although disclosed in January, allows attackers to steal sensitive information by exploiting the way Internet Explorer users on Windows parses MIME-formatted webpages, also allowing trusted websites to be spoofed and actions to be performed without authorisation.
Microsoft has issued a temporary fix but it is unknown how long it will be until a full patch is released.
Google, worried that its users were at risk, issued a warning via its Online Security blog, stating that the company believed activists were the target of the attacks. Interestingly, the post noted that users of another popular social site (possibly Facebook, which will not confirm either way) were also being targeted:
We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.
For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.
Google says that it has deployed “various server-side defences” to make the the MHTML vulnerability harder to exploit, adding that although the measures are in place, they cannot be guaranteed to be 100% reliable. With that in mind, the company is in contact with Microsoft to work on a solution for the issue.
If you are an Internet Explorer user and want to make sure you are not vulnerable to the MHTML exploit, head to Microsoft’s patch page and install the update.