Microsoft Ships Patch for Chinese Google Hack

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft shipped an out-of-band patch Thursday to fix a zero-day vulnerability of which the company hadn't aware until it was used to hack Google China sites.

The patch comes in the form of a cumulative update for virtually all versions of Internet Explorer, Microsoft (NASDAQ: MSFT) said in a statement Wednesday.

The rare "out-of-band" patch -- so named because Microsoft did not issue it during on one of its monthly Patch Tuesday update roundups -- tackles a previously unknown zero-day bug that became one of the main avenues of penetration used in a spate of hacker attacks on Google (NASDAQ: GOOG) China's Web sites.

Search giant Google revealed the attacks last week when it said it is considering pulling out of the People's Republic over issues of censorship and cybersecurity.

Additionally, the cumulative update -- which means that it includes all other bug fixes up to this point -- also addresses seven other critical bugs in IE. All of the fixes encompassed by the patch are rated "critical" for all supported versions of IE running on all but two of the company's supported operating systems.

Those two, Windows Server 2003 for x64 with Service Pack 2 (SP2) and Server 2003 with SP2 for Itanium systems, are rated "moderate" -- only one step up from "low," the bottom tier of Microsoft's four-tiered severity ranking system.

The vulnerabilities fixed by the patch are all related to how IE handles ActiveX controls and Active Scripting.

Those seven bugs had apparently been planned for release on the next "Patch Tuesday," which is scheduled for Feb. 9. Microsoft's previous Patch Tuesday drop came on Jan. 12, and fixed a single vulnerability. Impact on IE usage

Although the attacks in the wild constituted serious breaches of security for Google sites and for perhaps as many as 20 other corporate sites, both Microsoft and some of its security partners underlined that only one version -- the aging IE6 -- has been exploited in the attempted break-ins.

"The only in the wild exploit code for this vulnerability detected thus far is confirmed to affect just Internet Explorer 6," Joshua Talbot, security intelligence manager at Symantec Security Response, said in an e-mail to InternetNews.com.

In a separate e-mail to InternetNews.com, a Microsoft spokesperson confirmed that it is seeing "limited and targeted attacks against Internet Explorer 6 only."

The incident is likely to help drive upgrades among users who have stayed with IE6, despite the fact that it's years out of date. The latest release is IE8, which shipped last March.

One of the driving forces behind Microsoft's quick response to the Google hack -- which security experts named "Hydraq" -- has been pressure from some European nations to switch to a non-Microsoft browser to avoid any potential attacks.

"Microsoft has no choice but to release an out-of-band patch for this; with France and Germany having issued notices warning people of the perils of using Microsoft's Internet Explorer, the exploit's role in compromising Microsoft's 'arch rival' Google, among others, and widespread press coverage, Microsoft found itself in a precarious position," Josh Phillips, a virus researcher at security firm Kaspersky Lab, said in an e-mail to InternetNews.com.

In fact, at least one alternative browser maker reports that downloads of its software jumped in the attacks' aftermath.

"Downloads for Opera's desktop browser in some of these regions have grown substantially. For example, in Germany, Opera's downloads doubled after the warnings were issued by the government and in Australia, downloads went up 37 percent," a spokesperson for Norway-based Opera Software, said in a statement.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals.