Last week, we wrote to you about the security warning notification system that Google launched for Gmail in a move to alert users of a possible state-sponsored attack. It appears that some attacks were delivered via vulnerabilities in Microsoft’s Internet Explorer browser. ZDNet, citing an unnamed source, mentioned that the IE vulnerability was the driving force behind Google’s decision to begin warning Gmail users about state-sponsored attacks. Meanwhile, Microsoft thanked Google yesterday for working on the reported MSXML Uninitialized Memory Corruption Vulnerability.
Via Microsoft’s Security Advisory, Microsoft said that the company is aware of active attacks that leverage vulnerabilities in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. Microsoft explained that the vulnerability could allow remote code execution if a user views a specially crafted web page using Internet Explorer. “An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website,” it added.
The said vulnerability is currently affecting Microsoft Windows, as well as Microsoft Office 2003 and Microsoft Office 2007. CNET also wrote a report about the issue today and said that a Google spokesperson has informed them that the security warnings in Gmail is not tied to any specific attack, but is just a part of a larger class of attacks. So, judging from the latter statement, it seems that the reported attacks via Microsoft’s Internet Explorer are just one of the many attacks used in Gmail. Nevertheless, Microsoft has released a patch yesterday for some vulnerabilities in its Internet Explorer.