This vulnerability exists in versions 3, 4, 5, and 6 of the XML Core Services. The way it works is that an attacker can poison a website (or more likely create one) with code that will cause the XML Core services to attempt to parse then without the object being initialized. This will corrupt the memory and allow the execution of malicious code. To get the unsuspecting user to go to the site the attackers would go on a little phishing trip and try to entice them with links via email or a messaging service.
The vulnerability was found by Google who said that it was being used in combination with IE for targeted attacks. Because Google found it and there is buzz on Twitter and a few other message boards some are calming that this is all a state-sponsored attack against Gmail users. The rumors stem from the fact that Google said they would put up warnings if they suspected state-sponsored attacks on people’s Gmail accounts. Now, we agree that Google is a legitimate target (for anyone really) and they should post warnings of some sort if they suspect malicious activity, but seriously… if you have sensitive information on Gmail you need to really rethink things here. So while all of the talk about Flame, Stuxnet and Duqu bring the specter of state-sponsored cyber-attacks into reality it is highly unlikely that they are being used to get into personal Gmail accounts.
On second thought, there are a large number of people and corporations that have put their full trust in Google’s cloud. This includes the City of Los Angeles and others. So while we might not be seeing an attack on the general Gmail service we could be seeing a coordinated attack on the paid Gmail + Google Docs servers that Google is running. Although the vulnerability was reported to Microsoft on the 12th of June there is no patch available, but there is a “Fix-It” page that will apply a quick fix to compensate for the issue.
Right now we would suggest heading over and grabbing this one at least until a more formal patch is out. As for the possibility that Google is a target for an attack, that one is probably true on most days of the week.
Discuss this in our Forum