Print 92 comment(s) - last by mostyle.. on Feb 3 at 7:43 AM

  (Source: Sydney Morning Herald)

Chinese hackers used a memory flaw in Internet Explorer to carry out a series of highly sophisticated attacks, which stole info from Google, Adobe, and others.  (Source: Tech Freep)
Microsoft is apologetic about the incident and is working to help affected companies

While making a browser can pave the way to lucrative advertising revenue contracts, it can also be a headache in terms of providing the user with security, as users will typically interact with a broad variety of websites, some of which may be compromised or insecure.  When you're the top player in the browser market, like Microsoft, this problem becomes especially serious.

Microsoft typically has a pretty good security track record, but under the enormous pressure of safeguarding millions of business users, cracks in its armor can appear.  Thus was the case with a new flaw in Microsoft Internet Explorer, which the company posted an advisory (97352) about yesterday.

The advisory describes, "The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

McAfee's George Kurtz was the first to post on the flaw, with a security blog yesterday afternoon.  He offered more details about the DOM memory corruption vulnerability and revealed that it had been used by attackers in China to steal info from Google.  This was somewhat unusual, as often flaws get published with nary a "in the wild" attack, or at worst mild attacks on individual users.

In this case the flaw wasn't overly severe, but the attackers were unusually sophisticated and struck out at businesses, looking to steal their data.  Writes Dmitri Alperovitch, a vice president of research with McAfee, "We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space."

Despite the fact that Google makes its own browser (Chrome), apparently many of Google's corporate computers instead use rival Microsoft's Internet Explorer, the standard in the business world.  As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7.  This is actually quite typical -- IE 8 adoption in the business world has been a slow process -- many businesses still use IE 6, even.  The DEP protections are optional in IE 7.

In total, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Once the attackers execute the memory attack, they use it to download and run an executable -- a malicious trojan that allows remote access to corporate machines.  The entire set of attacks has become known as "Operation Aurora".  Aside from Google, other high profile targets lost potentially sensitive information, including design software maker Adobe Systems Inc. (though Adobe insists that it lost no IP).  Google and Adobe are both reportedly trying to help Microsoft investigate the attacks.

Microsoft CEO Steve Ballmer apologized for the security mishap, stating, "We need to take all cyber attacks, not just this one, seriously. We have a whole team of people that responds in very real time to any report that it may have something to do with our software, which we don't know yet."

One bothersome detail, though, is that Microsoft apparently has known about the flaw and existence of attacks in the wild for some time, but did not publish a security advisor until after McAfee aired the flaw.  This meant that while high profile business users likely knew about the flaw, most private users were left unaware of the danger (albeit, fewer private users run IE 6 or IE 7 than business users).

The attack on Google occurred in mid-December, so the attacks have been live for almost a month now, at least.  Reportedly 20 other major companies have since been compromised.  Currently, the only complete solution that offers complete protection against the attack is to adopt IE 8 or turn on DEP in IE 7.  McAfee has aired security software updates that provide partial protection against the malware associated with the attack, but it warns that current coverage is complete

If there's one moral of this story, it's not so much anything to do with Microsoft or Google, but more an observation of the state of internet security in general.  As many observers have noted, attackers in recent years are becoming bolder, more organized, and in it for the money. 

Unlike hackers of yore that largely hacked for respect or fame, this new breed of attacker, largely based out of Eastern Europe, Russia, Africa, and China, hacks for profit.  That presents a unique challenge to firms like Microsoft.  A kid hacking into Google would be a bad enough, but a savvy professional who knows how to leverage the stolen information -- that's a security nightmare.  And it's one that's quickly becoming reality, as evidenced by this most recent round of attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Are you serious?
By Candide08 on 1/15/2010 10:30:37 AM , Rating: -1
"Microsoft typically has a pretty good security track record"

Compared to what, a PC with the password on a post-it?

RE: Are you serious?
By JasonMick on 1/15/2010 10:46:37 AM , Rating: 4
Actually they do. Despite what Apple would have you believe, considering Micrsoft's volume of users (over a billion PCs, hundreds of millions of Internet Explorer users) their security track record is pretty good.

Let me know if you find someone with comparable marketshare who you can hold up as having superior security and I'll give you a cookie.

Hint: Adobe and Mozilla software gets exploited all the time. ;)

RE: Are you serious?
By reader1 on 1/15/10, Rating: -1
RE: Are you serious?
By ertomas on 1/15/2010 1:28:29 PM , Rating: 2
I can't believe this guy...

He's like venezuelans Chavez's supporters.

The SOB has even led us to an electric crisis and people still stand up to him!

RE: Are you serious?
By themaster08 on 1/15/2010 7:26:19 PM , Rating: 2
Of course they do, they're Windows programs.

So I guess that this is a Windows program too, huh?

RE: Are you serious?
By themaster08 on 1/15/2010 7:37:13 PM , Rating: 2
I notice that you seem to remain quiet when Apple has yellow screen issues, arrogantly repairing them for them to return to their customers with further problems. I guess that's Microsoft's fault too, huh?

However, as soon as Microsoft has an issue with old software, which it apologises for, and endeavours to fix, you can't wait to regurgitate the same old BS we've heard a thousand times before.

If you have nothing new to say, please, say nothing at all.

RE: Are you serious?
By Motoman on 1/15/2010 11:33:46 AM , Rating: 2
Another hint:

Apple's "security" is a result of their failure to capture a significant portion of the market. Hence, it's not worth a malware-writer's time to make attacks on it. Success by failure - very few companies can pull that off (other than Apple, maybe Bose and Monster Cable).

RE: Are you serious?
By danostrowski on 1/15/10, Rating: -1
RE: Are you serious?
By Motoman on 1/15/2010 12:00:01 PM , Rating: 2
Using that logic, one would have to cite the existence of police forces as a detriment to the track record of democracies.

And while I love your advertising of your ignorance with your opening statement, the better way to look at it is that it's quite commendable that MS does as much as it does to keep billions of PCs worldwide secure.

As for the monopoly - yes, Windows is a monopoly, because it's not viable for the vast majority of consumers in the world to use Apples or Linux. The fact of the matter is that now, Apple has somewhere around 4% of the market according to recent internet log reporting as shown here on DT recently. It would really be nice if we could stop pretending that 4% of the market has any significance.

RE: Are you serious?
By StevoLincolnite on 1/15/2010 12:22:46 PM , Rating: 2
While that's partially true, security has been a complete after thought for MicroSoft until very recently. Also, if you're going to credit Apple's small market share (aka MicroSoft's monopoly gained by proprietary lock-in) with the lack of viruses it experiences, you must also mention the entire microcosm of software that has evolved specifically for securing windows as a detriment for MS' track record.

Wait... are you complaining that Microsoft is to propriety? Have you looked at Apple? I mean seriously? They wont even give consumers easy access to replace batteries for crying out loud!

RE: Are you serious?
By jak3676 on 1/15/2010 12:21:25 PM , Rating: 3
I don't think my Monster Cable powers Bose system has ever been exploited.

RE: Are you serious?
By lightfoot on 1/15/2010 1:01:56 PM , Rating: 2
But both Monster Cable and Bose sell sub-par products at premium prices... The example of success through failure.

I would argue, however, that despite their products failure, their marketing success is nearly unrivaled.

RE: Are you serious?
By eddieroolz on 1/15/2010 1:08:12 PM , Rating: 2
Hell, if we can make a coat hanger disguised as Monster Cable we'll be rich in no time!

RE: Are you serious?
By mindless1 on 1/15/2010 10:19:42 PM , Rating: 2
You have it backwards. You suggest that somehow considering their marketshare we should consider them more secure, when it is quite the opposite.

Considering their marketshare they have far more opportunities to uncover the bugs, far more income to fix them, and far more people reporting the bugs so they don't even have to find many themselves.

I won't even go into the base fact that security is about vulnerability, that merely having that marketshare makes them less secure even if they had the exact same # and type of bugs as a competitor.

Further, the article you linked to as some kind of proof was quite frequently opposed in the comments, was nothing more than a misguided study turned into a fluff piece.

Hint: The vast majority using Mozilla Firefox are far more secure than IE users. ;) ;)

Make any excuse you like, it's plainly obvious. We could argue about whether it's due to add-ons, but in the end we are talking about security not twisted stats that ignore the real uses of either browser.

To put it another way, even though IE still has majority marketshare, Firefox has a large number of users as well. How many viri have you seen circulating due to Firefox exploits? We'll wait while you dig up some cold hard facts on that.

A marketing concept != reality. The proof is in the news year after year.

RE: Are you serious?
By FITCamaro on 1/15/2010 10:47:33 AM , Rating: 2
Lets see you create the most used software in the world, and thus the most attacked, and there not be any security holes.

For what it does, Microsoft does a pretty good job with security.

RE: Are you serious?
By rudolphna on 1/15/2010 10:46:28 AM , Rating: 2
When you have an OS on as many systems as Windows is, it becomes impossible to protect against every threat. Hackers are a very resourceful and smart bunch, who cold find microscopic cracks in a rock from space. Microsoft generally seems to do fairly well keeping bugs and security holes patched. It is impossible to be 100% secure, even for a lesser used system like linux, but windows is massive and catering to a wide variety of uses, therefore this kind of thing will happen.

RE: Are you serious?
By damianrobertjones on 1/15/2010 7:40:56 PM , Rating: 2
Plus, if WIndows was 100% secure, the EU would fine them as the AV makers would go out of business.

"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Laptop or Tablet - Which Do You Prefer?
September 20, 2016, 6:32 AM
Update: Samsung Exchange Program Now in Progress
September 20, 2016, 5:30 AM
Smartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki