Print 92 comment(s) - last by mostyle.. on Feb 3 at 7:43 AM

  (Source: Sydney Morning Herald)

Chinese hackers used a memory flaw in Internet Explorer to carry out a series of highly sophisticated attacks, which stole info from Google, Adobe, and others.  (Source: Tech Freep)
Microsoft is apologetic about the incident and is working to help affected companies

While making a browser can pave the way to lucrative advertising revenue contracts, it can also be a headache in terms of providing the user with security, as users will typically interact with a broad variety of websites, some of which may be compromised or insecure.  When you're the top player in the browser market, like Microsoft, this problem becomes especially serious.

Microsoft typically has a pretty good security track record, but under the enormous pressure of safeguarding millions of business users, cracks in its armor can appear.  Thus was the case with a new flaw in Microsoft Internet Explorer, which the company posted an advisory (97352) about yesterday.

The advisory describes, "The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

McAfee's George Kurtz was the first to post on the flaw, with a security blog yesterday afternoon.  He offered more details about the DOM memory corruption vulnerability and revealed that it had been used by attackers in China to steal info from Google.  This was somewhat unusual, as often flaws get published with nary a "in the wild" attack, or at worst mild attacks on individual users.

In this case the flaw wasn't overly severe, but the attackers were unusually sophisticated and struck out at businesses, looking to steal their data.  Writes Dmitri Alperovitch, a vice president of research with McAfee, "We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space."

Despite the fact that Google makes its own browser (Chrome), apparently many of Google's corporate computers instead use rival Microsoft's Internet Explorer, the standard in the business world.  As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7.  This is actually quite typical -- IE 8 adoption in the business world has been a slow process -- many businesses still use IE 6, even.  The DEP protections are optional in IE 7.

In total, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Once the attackers execute the memory attack, they use it to download and run an executable -- a malicious trojan that allows remote access to corporate machines.  The entire set of attacks has become known as "Operation Aurora".  Aside from Google, other high profile targets lost potentially sensitive information, including design software maker Adobe Systems Inc. (though Adobe insists that it lost no IP).  Google and Adobe are both reportedly trying to help Microsoft investigate the attacks.

Microsoft CEO Steve Ballmer apologized for the security mishap, stating, "We need to take all cyber attacks, not just this one, seriously. We have a whole team of people that responds in very real time to any report that it may have something to do with our software, which we don't know yet."

One bothersome detail, though, is that Microsoft apparently has known about the flaw and existence of attacks in the wild for some time, but did not publish a security advisor until after McAfee aired the flaw.  This meant that while high profile business users likely knew about the flaw, most private users were left unaware of the danger (albeit, fewer private users run IE 6 or IE 7 than business users).

The attack on Google occurred in mid-December, so the attacks have been live for almost a month now, at least.  Reportedly 20 other major companies have since been compromised.  Currently, the only complete solution that offers complete protection against the attack is to adopt IE 8 or turn on DEP in IE 7.  McAfee has aired security software updates that provide partial protection against the malware associated with the attack, but it warns that current coverage is complete

If there's one moral of this story, it's not so much anything to do with Microsoft or Google, but more an observation of the state of internet security in general.  As many observers have noted, attackers in recent years are becoming bolder, more organized, and in it for the money. 

Unlike hackers of yore that largely hacked for respect or fame, this new breed of attacker, largely based out of Eastern Europe, Russia, Africa, and China, hacks for profit.  That presents a unique challenge to firms like Microsoft.  A kid hacking into Google would be a bad enough, but a savvy professional who knows how to leverage the stolen information -- that's a security nightmare.  And it's one that's quickly becoming reality, as evidenced by this most recent round of attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Ummm.....
By Motoman on 1/15/2010 10:45:28 AM , Rating: 2
I don't think you need WSUS - I think if you just used automatic updates, this would have been taken care of a long time ago.

While it's embarrassing for MS, I feel like it's more embarrassing for Google. Firstly, that their own employees use their hated rival's browser instead of their own, and secondly that they apparently aren't capable of enforcing a reasonable update program on their PCs.

RE: Ummm.....
By FITCamaro on 1/15/2010 10:57:36 AM , Rating: 2
I doubt there's very many large corporations who've already upgraded to IE8.

Still on 7 here.

RE: Ummm.....
By Motoman on 1/15/2010 11:01:54 AM , Rating: 2
Yeah, I hear you.

Since I don't have any IE6/7 boxes laying around, was this DEP feature available there...and just not turned on?

RE: Ummm.....
By InsaneScientist on 1/15/2010 2:09:50 PM , Rating: 2
It was there for IE7, but not IE6.

I thought XPSP2 and up had system wide DEP running, though...

RE: Ummm.....
By GaryJohnson on 1/15/2010 2:22:07 PM , Rating: 2
It has DEP on for "essential windows programs and services" which apparently doesn't include IE7; it has it's own DEP in the form of a "enable memory protection to help mitigate online attacks" checkbox under the advanced tab in internet options.

RE: Ummm.....
By piroroadkill on 1/18/2010 10:32:07 AM , Rating: 1
By default, DEP is set to OPT-IN, whereby apps (the majority of the time, Windows system components) opt to have DEP enabled for their component. Yeah, which is fucking shit. Same behaviour by default in Windows 7 iirc; however, you can change this to OPT-OUT, whereby all processes get DEP enabled, and you only set processes which have issues with DEP in the exclusion list, which should be the default mode, really

RE: Ummm.....
By bupkus on 1/15/2010 3:57:59 PM , Rating: 2
Ok, but aren't these older versions of IE just used for intranets? Can't they also have IE8 for those for who need to venture outside to the internet?
I'm thinking that couldn't their IT program a router or firewall test that won't allow unprotected versions of IE to pass outside...
Perhaps I just don't get it. The servers exposed to the internet are vulnerable because they allow a misbehaving browser to make requests... shouldn't this be a browser issue?
Help me understand wtf and wheretf this vulnerability happens.

RE: Ummm.....
By bupkus on 1/15/2010 4:00:10 PM , Rating: 2
Correction: ... shouldn't this be a server issue?

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By FITCamaro on 1/15/2010 11:53:12 AM , Rating: 4
Yeah pushing out a windows update is real f*cking hard. I mean do you try to be this stupid?

And if you don't want to do that there are software products out there that streamline pushing updates to large numbers of PCs.

RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By Motoman on 1/15/2010 12:11:45 PM , Rating: 3

This asshat's rating is at 0.09! That's got to be a record, right? Is anyone keeping score - so we can determine who the stupidest person on the planet is? Because this clown has got to be right up there.

0.09 - now THAT is an impressive achievement. Seems like it would take an entire village of idiots to rack up a score like that.

RE: Ummm.....
By StevoLincolnite on 1/15/2010 12:16:52 PM , Rating: 2
Seems like it would take an entire village of idiots to rack up a score like that.

Don't insult the village idiots! Sheesh.. They would be like Einstein compared to him!

RE: Ummm.....
By geddarkstorm on 1/15/2010 12:30:50 PM , Rating: 2
He's 0.10 now. I think his skills are slipping.

RE: Ummm.....
By weskurtz0081 on 1/15/2010 2:42:23 PM , Rating: 2
No, he is down to .08 now, he's doing just fine!

RE: Ummm.....
By chagrinnin on 1/15/2010 4:43:19 PM , Rating: 2
Seems like it would take an entire village of idiots to rack up a score like that.

Their IBurst tower has been turned off. :P

RE: Ummm.....
By themaster08 on 1/15/10, Rating: 0
RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By themaster08 on 1/16/2010 5:33:12 AM , Rating: 3
Sure, only a moron would support a platform with an excess of over half a billion users.

Only a moron would dedicate his life supporting Apple and their communist, closed platform and arrogant, self-righteous business practices.

Apple zealots are the Jehovas Whitnesses of the computer world. Preaching self-righteousness, mocking others, pumping ludicrous amounts of money into your church. Everything fits.

RE: Ummm.....
By damianrobertjones on 1/15/10, Rating: 0
RE: Ummm.....
By mindless1 on 1/15/2010 9:28:49 PM , Rating: 1
While I don't go along with a lot of the stretches reader1 makes, the initial idea that a lot of companies do not want these automatic updates is true.

Absolutely NO NO NO! It would be really dumb to let client systems update before the update is tested and reports of problems in the wild are sought.

Yes roll out the updates but above all else it is more important to not introduce any problems rather than having downtime from some bug that wasn't found until millions of people started applying it to the myriad number of system configs possible.

Now I'd like a show of hands, how many of the DT readers were routinely infected from using IE7, letalone 6? If they were insecure, and yet at the time of their release the DT (I mean Anandtech readers at that time) population was saying the same thing "oh use this new version it is secure you simply must or the world will implode", and yet now history shows they were wrong.

What was the solution? It was not just jumping onto the latest IE and patching it, absolutely not because as we all see no matter how many patches you apply, there's still another several coming, there was always not only many many possible exploits, but it was the primary target browser all along.

No, updates are not a solution and it is a waste of time to talk about them. Training users, blocking malicious 'sites, disabling inherently insecure features, locking down user access to domain resources, these are the start to security.

Now fast forward to the next IE version, everyone will claim oh it's great and IE8 should be abandoned, nevermind if you are more or less secure then than now.

The ironic part is we might actually be more secure running IE4 right now, who is developing new exploits for THAT?

RE: Ummm.....
By damianrobertjones on 1/15/2010 7:31:44 PM , Rating: 2
Hold on a minute... using Automatic updates on more than 10 computers, or 20, 30, 40... it literally zaps your bandwidth dry.

Imagine on update Thursday ALL 500+ computers started downloading updates etc. Even staggered, it's NOT the way to do it, even in a company with 30 pc's. WSUS all the way. it's so silly easy to setup that it hurts.

There are a lot of techs out there that don't even KNOW that WSUS exists! (Starts to cry)

"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki