IE Hole Enables "Most Sophisticated" Attacks Yet

The latest critical vulnerability in Microsoft's Internet Explorer, tagged as the key vector in a series of corporate attacks over the past three weeks, is being exploited in what one security expert calls "the most sophisticated" attacks ever committed against commercial targets.The widespread IE browser vulnerability -- it affects IE 6 Service Pack 1 running on Microsoft Windows 2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 -- has been identified as the zero-day entry-point for attacks against Google, among dozens of other corporate networks.

The attacks, dubbed Operation Aurora by McAfee, display characteristics more typical of government intrusion attempts than financial scams, and represent a new and world-changing threat model,, according to some observers.

Certainly the target differs from credit card and other financial information. The Chinese hackers evidently behind the attacks were going after intellectual property at the targeted companies.

Microsoft's Mike Reavey noted in a blog that "specific corporate networks are becoming more prevalent in the threat landscape."

In a security advisory, Microsoft stated that the attacks detected so far have been directed at IE 6, nor have they received reports of more general attacks against their customer.

Which should be of small comfort. A new wave of sophisticated, targeted attacks is unlikely to be halted by the identification -- and one hopes rapid patching -- of a specific vulnerability.

Rather, it appears that the New Year is already bringing with it a look at the next new thing in attacks, attack strategies and targets.

Welcome to the future.