Microsoft learned of IE flaw in August 2009

Microsoft has known of the Internet Explorer flaw used in attacks against Google and Adobe since September last year, according to insecurity experts at Kaspersky Labs.

The flaw was to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against US companies in China forced Microsoft to release an emergency IE update yesterday.

The vulnerability can also be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file, not just through IE, so readers using any of this Voleware should download the critical MS10-002 bulletin.

The vulnerability was reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli company. Microsoft confirmed the severity of the flaw in September and was apparently planning to ship a fix in next month's cumulative IE update.

A naughty attacker could build a specially-crafted Web page to gain the same user rights as any surfer landing on the page. If the user logged on with administrative user rights, the notional attacker could take complete control of an affected system and install programs, view, change, or delete data, or create new accounts with full user permissions, Kaspersky said.

The IE update applies to all versions of the browser on all Windows versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

Other holes in IE have been flapping open for years.