Microsoft Confirms IE Fault in Google China Hack

On Thursday, security firm McAfee said that Operation Aurora, the attack that hit Google and multiple companies early in the week, was the result of a new, "not publicly known" vulnerability found in Microsoft's web browser, Internet Explorer.

Microsoft quickly admitted the flaw in TechNet blog post. Mike Reavey, director of Microsoft's security response team, wrote, "Based on our investigations into these attacks, as well as the investigations of others, we recently became aware that a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies."

"Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity," Reavey continued. "We will continue to work with Google, industry leaders and the appropriate authorities to investigate this situation."

In response, Microsoft has published a security advisory that advises users to turn up the security settings in their Internet Explorer software until a further update can be issued.

"Our teams are currently working to develop an update and we will take appropriate actions to protect our customers," Reavey added. The post pointed out that Microsoft has no indication that the company's corporate network or mail properties were attacked as part of the recent attacks.

Marcus Yam
Marcus Yam served as Tom's Hardware News Director during 2008-2014. He entered tech media in the late 90s and fondly remembers the days when an overclocked Celeron 300A and Voodoo2 SLI comprised a gaming rig with the ultimate street cred.
  • botabota
    Thats why we have firefox
  • Hanin33
    anyone surprised?
  • 4trees
    Using Google Chrome :)
  • buckinbottoms
    Actually, it is still googles fault. The fix was available and has been available since IE7. Its called DEP. Google was either using IE6 which does not have the feature, or IE7 and did not enable DEP, or was using IE8 and manually turned the feature off since it is active by default.
  • gzhang
    From MS security Advisory (provided above), it doesn't look like DEP can prevent this attack. Most likely the pointer can be used to alter the execution path, not a stack overflew bug.
  • sublifer

    Come on people! Vote for Change!
  • flyinfinni
    Doesn't sound like it was a known problem with a fix already available to me or Microsoft would not have admitted any part of the blame.
  • war2k9
    As I remember some online saying ie8 is the safest web browser out there.
    can we still trust ms ie8?
  • CrashOverride90
    lol exactly the reason why i always use firefox with two top-notch security plugins (Adblock plus and noscript).
  • STravis
    And this is why we don't trust MS software (no matter how much MS tries to convince us they care about security)..