Microsoft warned today that hackers have published instructions for attacking a previously unknown security hole in all versions of Windows that could be exploited to siphon user data or trick users into installing malicious code.

Redmond published an advisory about a vulnerability in the way Windows handles MHTML code that could let attackers run Javascript code if the user is browsing a malicious site using Internet Explorer. As Wolfgang Kandek, chief technology officer at Qualys notes, that means that IE is the only known exploit vehicle for this flaw, and that other browsers such as Firefox and Chrome are not affected in their default configuration because they don’t support MHTML without the installation of specific add-ons.

Microsoft said it may issue a patch to fix the flaw, but that in the meantime IE users who are concerned about this threat can use a supplied “FixIt” tool to help shore up the way Windows handles MHTML documents. The enable that fix, visit this link and click the FixIt icon.

Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.

This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.

In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.

The recent targeted cyber attacks against Google, Adobe and other major companies were fueled in part by a previously unknown — and currently unpatched — security flaw in Microsoft‘s Internet Explorer Web browser, anti-virus vendor McAfee said today.

McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.

George Kurtz, McAfee’s chief technology officer, said the IE vulnerability was just one of several previously unknown software flaws that were leveraged in the targeted attacks, which security experts at iDefense have said affected at least 33 different companies.

“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios,” Kurtz wrote in a posting to the company’s Security Insights Blog. “So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.”

Several sources, including McAfee, now say Microsoft plans to release more information later today about the vulnerability. A spokeswoman for Microsoft would not confirm that claim, saying only that “Microsoft is investigating these reports and will provide more information when it is available.”

UPDATE, 5:25 p.m: Microsoft has issued an advisory confirming the existence of a previously unknown vulnerability in all supported versions of IE on pretty much every supported version of Windows. The MS advisory is here.

Original post:

In related news, names of additional victims of this targeted attack, which appears to have targeted trade secrets and source code, are starting to trickle out. The Washington Post is reporting that list includes Yahoo, Symantec, Northrop Grumman and Dow Chemical. A source told me that router maker Juniper Systems Inc. also may have been victimized, although I am still trying to confirm that claim.

Update, 10:34 p.m: Juniper issued the following statement about claims that it, too, was one of the nearly three dozen companies hit by targeted attacks: ” Juniper Networks recently became aware, and is currently investigating, a cyber security incident involving a sophisticated and targeted attack against a number of companies. As with any investigation of this nature, Juniper does not disclose details.”