So it seems that an Internet Explorer zero day vulnerability allowed the back door to be opened that resulted in the hack attack on Google and many others that has received such publicity this week.
According to McAfee it has identified an Internet Explorer vulnerability as being one of the attack vectors but the security vendor also warns that targeted attacks such as this often use "a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios" so it is possible, likely even, that other as yet unidentified attack vectors were also involved. However, McAfee dismisses some early reports which claimed that an Adobe Reader PDF vulnerability was a factor, stating that there is simply no evidence to suggest this to be the case.
Worryingly though, McAfee does insist that while "this attack is especially deadly on older systems that are running XP and Internet Explorer 6" and this was the focus of these recent attacks, Internet Explorer does remain "vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7". McAfee says that new versions of Windows simply make exploiting the vulnerability harder, not impossible.
It becomes even more worrying when you appreciate that the code used in the Google attack to exploit the as yet unpatched vulnerability has now been published on the web for anyone to grab and make use of. Unlike some other news publications, DaniWeb will not be making things easier yet by linking to the website concerned.