Print 92 comment(s) - last by mostyle.. on Feb 3 at 7:43 AM

  (Source: Sydney Morning Herald)

Chinese hackers used a memory flaw in Internet Explorer to carry out a series of highly sophisticated attacks, which stole info from Google, Adobe, and others.  (Source: Tech Freep)
Microsoft is apologetic about the incident and is working to help affected companies

While making a browser can pave the way to lucrative advertising revenue contracts, it can also be a headache in terms of providing the user with security, as users will typically interact with a broad variety of websites, some of which may be compromised or insecure.  When you're the top player in the browser market, like Microsoft, this problem becomes especially serious.

Microsoft typically has a pretty good security track record, but under the enormous pressure of safeguarding millions of business users, cracks in its armor can appear.  Thus was the case with a new flaw in Microsoft Internet Explorer, which the company posted an advisory (97352) about yesterday.

The advisory describes, "The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

McAfee's George Kurtz was the first to post on the flaw, with a security blog yesterday afternoon.  He offered more details about the DOM memory corruption vulnerability and revealed that it had been used by attackers in China to steal info from Google.  This was somewhat unusual, as often flaws get published with nary a "in the wild" attack, or at worst mild attacks on individual users.

In this case the flaw wasn't overly severe, but the attackers were unusually sophisticated and struck out at businesses, looking to steal their data.  Writes Dmitri Alperovitch, a vice president of research with McAfee, "We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space."

Despite the fact that Google makes its own browser (Chrome), apparently many of Google's corporate computers instead use rival Microsoft's Internet Explorer, the standard in the business world.  As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7.  This is actually quite typical -- IE 8 adoption in the business world has been a slow process -- many businesses still use IE 6, even.  The DEP protections are optional in IE 7.

In total, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Once the attackers execute the memory attack, they use it to download and run an executable -- a malicious trojan that allows remote access to corporate machines.  The entire set of attacks has become known as "Operation Aurora".  Aside from Google, other high profile targets lost potentially sensitive information, including design software maker Adobe Systems Inc. (though Adobe insists that it lost no IP).  Google and Adobe are both reportedly trying to help Microsoft investigate the attacks.

Microsoft CEO Steve Ballmer apologized for the security mishap, stating, "We need to take all cyber attacks, not just this one, seriously. We have a whole team of people that responds in very real time to any report that it may have something to do with our software, which we don't know yet."

One bothersome detail, though, is that Microsoft apparently has known about the flaw and existence of attacks in the wild for some time, but did not publish a security advisor until after McAfee aired the flaw.  This meant that while high profile business users likely knew about the flaw, most private users were left unaware of the danger (albeit, fewer private users run IE 6 or IE 7 than business users).

The attack on Google occurred in mid-December, so the attacks have been live for almost a month now, at least.  Reportedly 20 other major companies have since been compromised.  Currently, the only complete solution that offers complete protection against the attack is to adopt IE 8 or turn on DEP in IE 7.  McAfee has aired security software updates that provide partial protection against the malware associated with the attack, but it warns that current coverage is complete

If there's one moral of this story, it's not so much anything to do with Microsoft or Google, but more an observation of the state of internet security in general.  As many observers have noted, attackers in recent years are becoming bolder, more organized, and in it for the money. 

Unlike hackers of yore that largely hacked for respect or fame, this new breed of attacker, largely based out of Eastern Europe, Russia, Africa, and China, hacks for profit.  That presents a unique challenge to firms like Microsoft.  A kid hacking into Google would be a bad enough, but a savvy professional who knows how to leverage the stolen information -- that's a security nightmare.  And it's one that's quickly becoming reality, as evidenced by this most recent round of attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By damianrobertjones on 1/15/2010 10:27:43 AM , Rating: 1
"As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7. "

Ummm? If you don't update, then you're not covered. Then again there's business arguments for and against that we've all heard before. A company like Google should have it's 'base' computers all running with the latest updates and damn well use vm's for testing. I'm sure they have the cash!

Either way, I'm sitting here with all network pc's on XP (Going to Win7 eventually) and updated by a WSUS server.


RE: Ummm.....
By FITCamaro on 1/15/2010 10:43:40 AM , Rating: 4
It sounds like you're an IT guy so you should know a companies ability to upgrade is often limited by the other software they use. If a tool you use isn't supported in IE8 then you're stuck with IE7 until the company who makes the software updates their tool. Assuming there's still even support.

RE: Ummm.....
By Motoman on 1/15/2010 11:00:42 AM , Rating: 5
In my experience, the "compatibility view" thing in IE 8 works pretty well.

...then again, I wonder what the likelihood of a company like Google using any particular product tied to IE would be in the first place...

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By lightfoot on 1/15/2010 12:45:55 PM , Rating: 5
No, Google uses Internet Explorer because Google its self is an Internet Software Company. They are forced to use every browser on the market to test compatibility with their software. If Google, Google Apps, or Gmail did not work on Internet Explorer (or Firefox, Safari, or Opera) that would directly impact their core business.

Google has to use Internet Explorer due to the fact that some of their customers use Internet Explorer - this has nothing to do with a Microsoft monopoly.

RE: Ummm.....
By ClownPuncher on 1/15/2010 1:09:05 PM , Rating: 5
Don't even bother explaining to that guy. Your logic and reason are wasted.

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By ClownPuncher on 1/15/2010 1:30:44 PM , Rating: 5
There are many browsers people can use, Microsoft does nothing to stop you from using those.

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By ClownPuncher on 1/15/2010 1:50:38 PM , Rating: 5
Your face is made out of penis.

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By GaryJohnson on 1/15/2010 2:13:57 PM , Rating: 3
Your logic has a hole in it.

If Mozilla or Google made a better browser than IE, then they could still charge for it.

Similarly, we are giving you free advice on how not to be a loon, but you should definitely still seek professional (paid) psychiatric consul.

There are most certainly people around who would pay for FF or Chrome in their current incarnations. Google has chosen market share over sales revenue, and Mozilla is into being a "public benefit organization".

RE: Ummm.....
By bupkus on 1/15/2010 3:50:28 PM , Rating: 4
I'm like 10 posts down and still laughing.

RE: Ummm.....
By arazok on 1/15/2010 6:44:29 PM , Rating: 5
RE: Ummm.....
By messyunkempt on 1/16/2010 1:42:27 AM , Rating: 4
You owe me a muffin. And something to wipe my screen with.

RE: Ummm.....
By NesuD on 1/15/2010 2:37:46 PM , Rating: 3
Giving away IE for free is illegal undercutting and a clear abuse of Microsoft's monopoly.

Where did you get that. Microsoft charges a healthy price for IE. The only thing that makes it worth paying is that they bundle a pretty decent free operating system with it.


RE: Ummm.....
By bupkus on 1/15/2010 3:46:44 PM , Rating: 2
That is funny!

RE: Ummm.....
By Marlonsm on 1/15/2010 3:33:34 PM , Rating: 2
Right, they should force people to pay for their browsers, just like they pay for Firefox, Chrome, Opera...

Wait a min...

RE: Ummm.....
By themaster08 on 1/15/2010 7:17:21 PM , Rating: 3
Giving away IE for free is illegal undercutting and a clear abuse of Microsoft's monopoly.

It's clear that yellow tinted screen has blurred your perception of reality.

Giving away IE for free is illegal

Would you care to provide proof of this? Is giving away Safari for free also illegal?

RE: Ummm.....
By damianrobertjones on 1/15/2010 7:26:16 PM , Rating: 2
What century was that again?

These are new times.

RE: Ummm.....
By Camikazi on 1/15/2010 2:23:16 PM , Rating: 2
Yes you are right, MS FORCED me to use IE :( o wait, I'm on Windows and using Firefox!
MS customers are not forced to use IE, they choose too or do not know of other choices (doubtful since most sites have Firefox or Chrome icons all over). IE is just the default and most people just stick with the default for fear of breaking things or having no knowledge of others.

RE: Ummm.....
By mindless1 on 1/15/2010 9:06:43 PM , Rating: 1
Yes people are too lazy and uninformed to switch from the default installed browser in most cases, but that does lead back to the original statement by reader1 that it's due to their monopoly.

For example, if Linux had been the majority OS and had Firefox installed by default, and of course not having IE installed, wouldn't it be Firefox we'd assume to be the majority browser too?

Let's think on this a minute, who would've stuck it through IE 4, 5, and 6? They're be few and far between users who went on to use 7 and 8 even though they are decidedly better than 4, 5, and 6.

RE: Ummm.....
By drycrust3 on 1/15/2010 4:44:58 PM , Rating: 2
I disagree. Yes, there probably are people in the company who HAVE to have IE 6 or 7, but the majority of the people should be using Chrome because that is one of their major products. That is one of the easiest ways for the "Chrome" department to know if there are problems or improvements to be made. If a person finds an incompatibility and changes to IE does the problem get fixed? No, it remains unfixed. Conversely, a phone call to the Chrome department may be all that is needed to fix the problem.
Indeed, it is disconcerting to realise that while on the one hand Google is planning to release it's own operating system, which is based upon Linux, they actually prefer their main competitor's software. It is hard for us to know for certain, but surely that must affect some of their business decisions.
My guess is the majority of the work they do could be done using Ubuntu and Openoffice and Chrome. After all, the system they will be selling will be based upon Ubuntu, Chrome, and Google Docs.

RE: Ummm.....
By mostyle on 2/3/2010 7:43:58 AM , Rating: 1
Google is forced to use Microsoft's products

Yea, sure.. Forced if they want to insure compatibility between themselves and third party vendors which inevitably addresses their productivity and bottom line.. I guess in that logic Mozilla and others force them as well. Forced? Bah, semantics..

RE: Ummm.....
By nafhan on 1/15/2010 1:18:06 PM , Rating: 2
It's been fine in my experience, too. However, first time I had to call the corporate help desk after installing IE8 they were all "Whoa, whoa, no wonder you are having trouble! We don't support IE8." This is regardless of the fact that it was not a browser/web problem. So, I had to revert to IE7 and show them the problem was still there before they'd even help me.
I'd be willing to bet that's fairly typical of other large corporations as well.

RE: Ummm.....
By AstroCreep on 1/15/2010 4:32:00 PM , Rating: 2
Compatibility View is fine & dandy if the sites display properly in IE7, but as is the case with my business, there are still quite a few web-based resources that were written with older versions of FrontPage and/or Office that don't work properly in anything higher than IE6.

Unfortunately we're at a bit of a stand-still on updating IE because one of the sites our core business utilizes is still in the "Process" of updating their the site, but until then the forms (data entry system) don't even appear.

RE: Ummm.....
By sxr7171 on 1/16/2010 6:36:40 AM , Rating: 2
Yeah pretty darn surprising.

RE: Ummm.....
By MarcLeFou on 1/15/2010 12:20:14 PM , Rating: 2
The only reason I see for not upgrading to IE8 is a company is using old, unsupported OS'es (and hardware) or custom plugins not compatible with the new versions.

IE7 caused us quite a few headaches with our customer systems so an overall switch to 7 was never rolled out but IE8's compatibility view has solved all of those issues for us.

Since some websites only work with IE and IE6 is really problematic from a security standpoint, we've moved all our Windows boxes to IE8 in the last few months and its been going extremely well after people got used to the change in UI (and even then, that part was much easier than some other transitions we've been through).

RE: Ummm.....
By MarcLeFou on 1/15/2010 12:23:42 PM , Rating: 2
Sheesh. I even proofread this to make sure there were no errors. I seem to have both eyes in the same socket today.

... upgrading to IE8 is if a comapny ...

... a few headaches with our custom systems ...

RE: Ummm.....
By jonmcc33 on 1/15/2010 12:29:30 PM , Rating: 1
It's okay. You are safe from the anal retentive grammar troll.

RE: Ummm.....
By jonmcc33 on 1/15/2010 12:28:41 PM , Rating: 2
I agree. We're just moving everyone to IE7 now. Can't move to IE8 because our lame BMC Service Desk Express doesn't work properly with IE8. People running Windows 7 are forced to use XP Mode to use SDE.

RE: Ummm.....
By damianrobertjones on 1/15/2010 7:25:14 PM , Rating: 2
"Then again there's business arguments for and against that we've all heard before."

Yeah, I know, but I'd honestly say that a lot of it is due to being .... Lazy.

RE: Ummm.....
By mindless1 on 1/15/2010 9:19:42 PM , Rating: 2
... but that's a pretty self-serving assessment.

Is everyone "lazy" for not being as "secure" as possible by studying martial arts and self defense so they can be as secure as possible in their daily lives?

Is everyone "lazy" for not religiously waxing their car?

Is everyone lazy for not eating only the most healthy of foods?

Not really, they take what steps they consider adequate at the time, there is not an infinite amount of time, money or resources to suit everyone's idea of the ideal (everything, everywhere, every time).

... or to put it another way, those who were security savvy long ago took steps to implement a security plan that worked for their company, they were not longing for IE8 and cursing each day, because they found a solution that worked for them.

Google's fault? It's not which IE version, it's any and all software that is not assessed and secured. The same goes for IE8, you can't just do "anything at all" you want to do just because you're running IE8, and the same will be true for IE9, and certainly Firefox et al too.

RE: Ummm.....
By Motoman on 1/15/2010 10:45:28 AM , Rating: 2
I don't think you need WSUS - I think if you just used automatic updates, this would have been taken care of a long time ago.

While it's embarrassing for MS, I feel like it's more embarrassing for Google. Firstly, that their own employees use their hated rival's browser instead of their own, and secondly that they apparently aren't capable of enforcing a reasonable update program on their PCs.

RE: Ummm.....
By FITCamaro on 1/15/2010 10:57:36 AM , Rating: 2
I doubt there's very many large corporations who've already upgraded to IE8.

Still on 7 here.

RE: Ummm.....
By Motoman on 1/15/2010 11:01:54 AM , Rating: 2
Yeah, I hear you.

Since I don't have any IE6/7 boxes laying around, was this DEP feature available there...and just not turned on?

RE: Ummm.....
By InsaneScientist on 1/15/2010 2:09:50 PM , Rating: 2
It was there for IE7, but not IE6.

I thought XPSP2 and up had system wide DEP running, though...

RE: Ummm.....
By GaryJohnson on 1/15/2010 2:22:07 PM , Rating: 2
It has DEP on for "essential windows programs and services" which apparently doesn't include IE7; it has it's own DEP in the form of a "enable memory protection to help mitigate online attacks" checkbox under the advanced tab in internet options.

RE: Ummm.....
By piroroadkill on 1/18/2010 10:32:07 AM , Rating: 1
By default, DEP is set to OPT-IN, whereby apps (the majority of the time, Windows system components) opt to have DEP enabled for their component. Yeah, which is fucking shit. Same behaviour by default in Windows 7 iirc; however, you can change this to OPT-OUT, whereby all processes get DEP enabled, and you only set processes which have issues with DEP in the exclusion list, which should be the default mode, really

RE: Ummm.....
By bupkus on 1/15/2010 3:57:59 PM , Rating: 2
Ok, but aren't these older versions of IE just used for intranets? Can't they also have IE8 for those for who need to venture outside to the internet?
I'm thinking that couldn't their IT program a router or firewall test that won't allow unprotected versions of IE to pass outside...
Perhaps I just don't get it. The servers exposed to the internet are vulnerable because they allow a misbehaving browser to make requests... shouldn't this be a browser issue?
Help me understand wtf and wheretf this vulnerability happens.

RE: Ummm.....
By bupkus on 1/15/2010 4:00:10 PM , Rating: 2
Correction: ... shouldn't this be a server issue?

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By FITCamaro on 1/15/2010 11:53:12 AM , Rating: 4
Yeah pushing out a windows update is real f*cking hard. I mean do you try to be this stupid?

And if you don't want to do that there are software products out there that streamline pushing updates to large numbers of PCs.

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By Motoman on 1/15/2010 12:11:45 PM , Rating: 3

This asshat's rating is at 0.09! That's got to be a record, right? Is anyone keeping score - so we can determine who the stupidest person on the planet is? Because this clown has got to be right up there.

0.09 - now THAT is an impressive achievement. Seems like it would take an entire village of idiots to rack up a score like that.

RE: Ummm.....
By StevoLincolnite on 1/15/2010 12:16:52 PM , Rating: 2
Seems like it would take an entire village of idiots to rack up a score like that.

Don't insult the village idiots! Sheesh.. They would be like Einstein compared to him!

RE: Ummm.....
By geddarkstorm on 1/15/2010 12:30:50 PM , Rating: 2
He's 0.10 now. I think his skills are slipping.

RE: Ummm.....
By weskurtz0081 on 1/15/2010 2:42:23 PM , Rating: 2
No, he is down to .08 now, he's doing just fine!

RE: Ummm.....
By chagrinnin on 1/15/2010 4:43:19 PM , Rating: 2
Seems like it would take an entire village of idiots to rack up a score like that.

Their IBurst tower has been turned off. :P

RE: Ummm.....
By themaster08 on 1/15/10, Rating: 0
RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By themaster08 on 1/16/2010 5:33:12 AM , Rating: 3
Sure, only a moron would support a platform with an excess of over half a billion users.

Only a moron would dedicate his life supporting Apple and their communist, closed platform and arrogant, self-righteous business practices.

Apple zealots are the Jehovas Whitnesses of the computer world. Preaching self-righteousness, mocking others, pumping ludicrous amounts of money into your church. Everything fits.

RE: Ummm.....
By damianrobertjones on 1/15/10, Rating: 0
RE: Ummm.....
By mindless1 on 1/15/2010 9:28:49 PM , Rating: 1
While I don't go along with a lot of the stretches reader1 makes, the initial idea that a lot of companies do not want these automatic updates is true.

Absolutely NO NO NO! It would be really dumb to let client systems update before the update is tested and reports of problems in the wild are sought.

Yes roll out the updates but above all else it is more important to not introduce any problems rather than having downtime from some bug that wasn't found until millions of people started applying it to the myriad number of system configs possible.

Now I'd like a show of hands, how many of the DT readers were routinely infected from using IE7, letalone 6? If they were insecure, and yet at the time of their release the DT (I mean Anandtech readers at that time) population was saying the same thing "oh use this new version it is secure you simply must or the world will implode", and yet now history shows they were wrong.

What was the solution? It was not just jumping onto the latest IE and patching it, absolutely not because as we all see no matter how many patches you apply, there's still another several coming, there was always not only many many possible exploits, but it was the primary target browser all along.

No, updates are not a solution and it is a waste of time to talk about them. Training users, blocking malicious 'sites, disabling inherently insecure features, locking down user access to domain resources, these are the start to security.

Now fast forward to the next IE version, everyone will claim oh it's great and IE8 should be abandoned, nevermind if you are more or less secure then than now.

The ironic part is we might actually be more secure running IE4 right now, who is developing new exploits for THAT?

RE: Ummm.....
By damianrobertjones on 1/15/2010 7:31:44 PM , Rating: 2
Hold on a minute... using Automatic updates on more than 10 computers, or 20, 30, 40... it literally zaps your bandwidth dry.

Imagine on update Thursday ALL 500+ computers started downloading updates etc. Even staggered, it's NOT the way to do it, even in a company with 30 pc's. WSUS all the way. it's so silly easy to setup that it hurts.

There are a lot of techs out there that don't even KNOW that WSUS exists! (Starts to cry)

RE: Ummm.....
By danostrowski on 1/15/10, Rating: -1
"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki