A zero-day bug in Microsoft Internet Explorer was a key element in an attack on Google and other companies last week. The attack, designed to ransack the Gmail of some Chinese human-rights activists managed to clip some of the Search King’s intellectual property in the process.

          “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google,” Google said in a statement issued last week. “However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.”

“As part of our investigation we have discovered that at least 20 other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted,” Google added.

The attack illustrates that even the Google elite can be duped by a social engineering ploy wrapped in an email message. According to security experts, the email messages used by the attackers were targeted at specific Google employees likely to have access to valuable proprietary information on their company’s servers. The messages were carefully disguised to look as if they originated with sources the employees would trust.

Since the messages appeared to come from a trusted source, the Googlites didn’t hesitate in clicking links in the electronic epistles. Once that was done, the story took a familar turn. The links resulted in malware being downloaded to the employees’ computers. The malware exploited an unknown vulnerability in Internet Explorer and opened a back door on the compromised machines. The back door let the crackers snoop around the wounded computers and gain control over their operation, using them to identify meaty targets  and bleed valuable data from them.

In a security advisory posted to the Web following reports of the attack, Microsoft characterized the vulnerability as “an invalid pointer reference within Internet Explorer.”

“It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted,” it explained. “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

In order to exploit the flaw in the browser, though, a cybernaut must be lured to an infected Web site. “In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability,” the advisory stated.

“In addition,” it continued, “compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”

“In all cases, however, an attacker would have no way to force users to visit these Web sites,” it maintained. “Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s Web site.”

If users want to reduce the risk of being victimized by the zero-day vulnerability, Microsoft noted in a subsequent posting, they should avoid using version six of Internet Explorer and upgrade to another version. It also recomended that users of Windows XP upgrade to a newer version of Windows. Maybe Windows 7, which was just released by the company?

Meanwhile, as part of the fallout at Google over the attack, the company decided to get tough with China.

          “These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the Web–have led us to conclude that we should review the feasibility of our business operations in China,” Google stated. “We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

“We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China,” it added.

Google’s threat to leave China has been hailed as a bold move to bolster human rights, and there is no reason to doubt that the concern has its heart in the right place. However, there’s a subtext in the message, whether intentional or not, that Google is serious about security. That message isn’t for the Chinese. It’s for Google’s current and future corporate clients who are or will be buying from the company “cloud” services, which in the long run may even eclipse advertising as a revenue stream for the corporation.