Print 92 comment(s) - last by mostyle.. on Feb 3 at 7:43 AM

  (Source: Sydney Morning Herald)

Chinese hackers used a memory flaw in Internet Explorer to carry out a series of highly sophisticated attacks, which stole info from Google, Adobe, and others.  (Source: Tech Freep)
Microsoft is apologetic about the incident and is working to help affected companies

While making a browser can pave the way to lucrative advertising revenue contracts, it can also be a headache in terms of providing the user with security, as users will typically interact with a broad variety of websites, some of which may be compromised or insecure.  When you're the top player in the browser market, like Microsoft, this problem becomes especially serious.

Microsoft typically has a pretty good security track record, but under the enormous pressure of safeguarding millions of business users, cracks in its armor can appear.  Thus was the case with a new flaw in Microsoft Internet Explorer, which the company posted an advisory (97352) about yesterday.

The advisory describes, "The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

McAfee's George Kurtz was the first to post on the flaw, with a security blog yesterday afternoon.  He offered more details about the DOM memory corruption vulnerability and revealed that it had been used by attackers in China to steal info from Google.  This was somewhat unusual, as often flaws get published with nary a "in the wild" attack, or at worst mild attacks on individual users.

In this case the flaw wasn't overly severe, but the attackers were unusually sophisticated and struck out at businesses, looking to steal their data.  Writes Dmitri Alperovitch, a vice president of research with McAfee, "We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space."

Despite the fact that Google makes its own browser (Chrome), apparently many of Google's corporate computers instead use rival Microsoft's Internet Explorer, the standard in the business world.  As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7.  This is actually quite typical -- IE 8 adoption in the business world has been a slow process -- many businesses still use IE 6, even.  The DEP protections are optional in IE 7.

In total, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Once the attackers execute the memory attack, they use it to download and run an executable -- a malicious trojan that allows remote access to corporate machines.  The entire set of attacks has become known as "Operation Aurora".  Aside from Google, other high profile targets lost potentially sensitive information, including design software maker Adobe Systems Inc. (though Adobe insists that it lost no IP).  Google and Adobe are both reportedly trying to help Microsoft investigate the attacks.

Microsoft CEO Steve Ballmer apologized for the security mishap, stating, "We need to take all cyber attacks, not just this one, seriously. We have a whole team of people that responds in very real time to any report that it may have something to do with our software, which we don't know yet."

One bothersome detail, though, is that Microsoft apparently has known about the flaw and existence of attacks in the wild for some time, but did not publish a security advisor until after McAfee aired the flaw.  This meant that while high profile business users likely knew about the flaw, most private users were left unaware of the danger (albeit, fewer private users run IE 6 or IE 7 than business users).

The attack on Google occurred in mid-December, so the attacks have been live for almost a month now, at least.  Reportedly 20 other major companies have since been compromised.  Currently, the only complete solution that offers complete protection against the attack is to adopt IE 8 or turn on DEP in IE 7.  McAfee has aired security software updates that provide partial protection against the malware associated with the attack, but it warns that current coverage is complete

If there's one moral of this story, it's not so much anything to do with Microsoft or Google, but more an observation of the state of internet security in general.  As many observers have noted, attackers in recent years are becoming bolder, more organized, and in it for the money. 

Unlike hackers of yore that largely hacked for respect or fame, this new breed of attacker, largely based out of Eastern Europe, Russia, Africa, and China, hacks for profit.  That presents a unique challenge to firms like Microsoft.  A kid hacking into Google would be a bad enough, but a savvy professional who knows how to leverage the stolen information -- that's a security nightmare.  And it's one that's quickly becoming reality, as evidenced by this most recent round of attacks.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Are you serious?
By Motoman on 1/15/2010 11:33:46 AM , Rating: 2
Another hint:

Apple's "security" is a result of their failure to capture a significant portion of the market. Hence, it's not worth a malware-writer's time to make attacks on it. Success by failure - very few companies can pull that off (other than Apple, maybe Bose and Monster Cable).

RE: Are you serious?
By danostrowski on 1/15/10, Rating: -1
RE: Are you serious?
By Motoman on 1/15/2010 12:00:01 PM , Rating: 2
Using that logic, one would have to cite the existence of police forces as a detriment to the track record of democracies.

And while I love your advertising of your ignorance with your opening statement, the better way to look at it is that it's quite commendable that MS does as much as it does to keep billions of PCs worldwide secure.

As for the monopoly - yes, Windows is a monopoly, because it's not viable for the vast majority of consumers in the world to use Apples or Linux. The fact of the matter is that now, Apple has somewhere around 4% of the market according to recent internet log reporting as shown here on DT recently. It would really be nice if we could stop pretending that 4% of the market has any significance.

RE: Are you serious?
By StevoLincolnite on 1/15/2010 12:22:46 PM , Rating: 2
While that's partially true, security has been a complete after thought for MicroSoft until very recently. Also, if you're going to credit Apple's small market share (aka MicroSoft's monopoly gained by proprietary lock-in) with the lack of viruses it experiences, you must also mention the entire microcosm of software that has evolved specifically for securing windows as a detriment for MS' track record.

Wait... are you complaining that Microsoft is to propriety? Have you looked at Apple? I mean seriously? They wont even give consumers easy access to replace batteries for crying out loud!

RE: Are you serious?
By jak3676 on 1/15/2010 12:21:25 PM , Rating: 3
I don't think my Monster Cable powers Bose system has ever been exploited.

RE: Are you serious?
By lightfoot on 1/15/2010 1:01:56 PM , Rating: 2
But both Monster Cable and Bose sell sub-par products at premium prices... The example of success through failure.

I would argue, however, that despite their products failure, their marketing success is nearly unrivaled.

RE: Are you serious?
By eddieroolz on 1/15/2010 1:08:12 PM , Rating: 2
Hell, if we can make a coat hanger disguised as Monster Cable we'll be rich in no time!

"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki