A critical zero-day vulnerability in Microsoft's Internet Explorer browser was apparently "one of the vectors" used in targeted and sophisticated attacks against Google and other corporate networks. Microsoft admitted to the flaw in a recent security advisory
shortly after McAfee first made it public
, explaining that under certain conditions an invalid pointer reference within IE can be exploited to allow remote code execution.
Google claims it has evidence that the attacks originated from mainland China, possibly with involvement of the government, and says the attacks resulted in the theft of intellectual property
. Adobe confirmed its network was also breached in the same attacks but did not provide any details on what was stolen. As with many targeted attacks, the intruders apparently gained access by targeting a few handpicked individuals within the company, tricking them into clicking a seemingly legitimate link or file, perhaps through some social engineering scheme.
Microsoft said it is developing a fix but it's not clear when it will be ready -- their next set of security updates part of the monthly "Patch Tuesday" cycle should take place on February 9. The critical flaw affects almost all of Microsoft's most recent Internet Explorer releases, including IE 6, IE 7 and IE 8, but so far security researchers have only seen the attacks on Google exploiting IE 6 on a Windows XP machine.
Until a patch is released, Microsoft advises users to keep Windows 7 and Vista on the most secure "protected mode" setting, and setting IE's Internet zone security to high. Or you could just switch to an alternate browser.