backtop


Print 92 comment(s) - last by mostyle.. on Feb 3 at 7:43 AM


  (Source: Sydney Morning Herald)

Chinese hackers used a memory flaw in Internet Explorer to carry out a series of highly sophisticated attacks, which stole info from Google, Adobe, and others.  (Source: Tech Freep)
Microsoft is apologetic about the incident and is working to help affected companies

While making a browser can pave the way to lucrative advertising revenue contracts, it can also be a headache in terms of providing the user with security, as users will typically interact with a broad variety of websites, some of which may be compromised or insecure.  When you're the top player in the browser market, like Microsoft, this problem becomes especially serious.

Microsoft typically has a pretty good security track record, but under the enormous pressure of safeguarding millions of business users, cracks in its armor can appear.  Thus was the case with a new flaw in Microsoft Internet Explorer, which the company posted an advisory (97352) about yesterday.

The advisory describes, "The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

McAfee's George Kurtz was the first to post on the flaw, with a security blog yesterday afternoon.  He offered more details about the DOM memory corruption vulnerability and revealed that it had been used by attackers in China to steal info from Google.  This was somewhat unusual, as often flaws get published with nary a "in the wild" attack, or at worst mild attacks on individual users.

In this case the flaw wasn't overly severe, but the attackers were unusually sophisticated and struck out at businesses, looking to steal their data.  Writes Dmitri Alperovitch, a vice president of research with McAfee, "We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space."

Despite the fact that Google makes its own browser (Chrome), apparently many of Google's corporate computers instead use rival Microsoft's Internet Explorer, the standard in the business world.  As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7.  This is actually quite typical -- IE 8 adoption in the business world has been a slow process -- many businesses still use IE 6, even.  The DEP protections are optional in IE 7.

In total, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Once the attackers execute the memory attack, they use it to download and run an executable -- a malicious trojan that allows remote access to corporate machines.  The entire set of attacks has become known as "Operation Aurora".  Aside from Google, other high profile targets lost potentially sensitive information, including design software maker Adobe Systems Inc. (though Adobe insists that it lost no IP).  Google and Adobe are both reportedly trying to help Microsoft investigate the attacks.

Microsoft CEO Steve Ballmer apologized for the security mishap, stating, "We need to take all cyber attacks, not just this one, seriously. We have a whole team of people that responds in very real time to any report that it may have something to do with our software, which we don't know yet."

One bothersome detail, though, is that Microsoft apparently has known about the flaw and existence of attacks in the wild for some time, but did not publish a security advisor until after McAfee aired the flaw.  This meant that while high profile business users likely knew about the flaw, most private users were left unaware of the danger (albeit, fewer private users run IE 6 or IE 7 than business users).

The attack on Google occurred in mid-December, so the attacks have been live for almost a month now, at least.  Reportedly 20 other major companies have since been compromised.  Currently, the only complete solution that offers complete protection against the attack is to adopt IE 8 or turn on DEP in IE 7.  McAfee has aired security software updates that provide partial protection against the malware associated with the attack, but it warns that current coverage is complete

If there's one moral of this story, it's not so much anything to do with Microsoft or Google, but more an observation of the state of internet security in general.  As many observers have noted, attackers in recent years are becoming bolder, more organized, and in it for the money. 

Unlike hackers of yore that largely hacked for respect or fame, this new breed of attacker, largely based out of Eastern Europe, Russia, Africa, and China, hacks for profit.  That presents a unique challenge to firms like Microsoft.  A kid hacking into Google would be a bad enough, but a savvy professional who knows how to leverage the stolen information -- that's a security nightmare.  And it's one that's quickly becoming reality, as evidenced by this most recent round of attacks.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Ummm.....
By reader1 on 1/15/2010 1:12:09 PM , Rating: -1
quote:
Google has to use Internet Explorer due to the fact that some of their customers use Internet Explorer...


Those customers only use IE because of Microsoft's monopoly.


RE: Ummm.....
By ClownPuncher on 1/15/2010 1:30:44 PM , Rating: 5
There are many browsers people can use, Microsoft does nothing to stop you from using those.


RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By ClownPuncher on 1/15/2010 1:50:38 PM , Rating: 5
Your face is made out of penis.


RE: Ummm.....
By reader1 on 1/15/10, Rating: -1
RE: Ummm.....
By GaryJohnson on 1/15/2010 2:13:57 PM , Rating: 3
Your logic has a hole in it.

If Mozilla or Google made a better browser than IE, then they could still charge for it.

Similarly, we are giving you free advice on how not to be a loon, but you should definitely still seek professional (paid) psychiatric consul.

There are most certainly people around who would pay for FF or Chrome in their current incarnations. Google has chosen market share over sales revenue, and Mozilla is into being a "public benefit organization".


RE: Ummm.....
By bupkus on 1/15/2010 3:50:28 PM , Rating: 4
I'm like 10 posts down and still laughing.


RE: Ummm.....
By arazok on 1/15/2010 6:44:29 PM , Rating: 5
RE: Ummm.....
By messyunkempt on 1/16/2010 1:42:27 AM , Rating: 4
You owe me a muffin. And something to wipe my screen with.


RE: Ummm.....
By NesuD on 1/15/2010 2:37:46 PM , Rating: 3
quote:
Giving away IE for free is illegal undercutting and a clear abuse of Microsoft's monopoly.


Where did you get that. Microsoft charges a healthy price for IE. The only thing that makes it worth paying is that they bundle a pretty decent free operating system with it.

;-)


RE: Ummm.....
By bupkus on 1/15/2010 3:46:44 PM , Rating: 2
That is funny!


RE: Ummm.....
By Marlonsm on 1/15/2010 3:33:34 PM , Rating: 2
Right, they should force people to pay for their browsers, just like they pay for Firefox, Chrome, Opera...

Wait a min...


RE: Ummm.....
By themaster08 on 1/15/2010 7:17:21 PM , Rating: 3
quote:
Giving away IE for free is illegal undercutting and a clear abuse of Microsoft's monopoly.

It's clear that yellow tinted screen has blurred your perception of reality.

quote:
Giving away IE for free is illegal

Would you care to provide proof of this? Is giving away Safari for free also illegal?


RE: Ummm.....
By damianrobertjones on 1/15/2010 7:26:16 PM , Rating: 2
What century was that again?

These are new times.


RE: Ummm.....
By Camikazi on 1/15/2010 2:23:16 PM , Rating: 2
Yes you are right, MS FORCED me to use IE :( o wait, I'm on Windows and using Firefox!
MS customers are not forced to use IE, they choose too or do not know of other choices (doubtful since most sites have Firefox or Chrome icons all over). IE is just the default and most people just stick with the default for fear of breaking things or having no knowledge of others.


RE: Ummm.....
By mindless1 on 1/15/2010 9:06:43 PM , Rating: 1
Yes people are too lazy and uninformed to switch from the default installed browser in most cases, but that does lead back to the original statement by reader1 that it's due to their monopoly.

For example, if Linux had been the majority OS and had Firefox installed by default, and of course not having IE installed, wouldn't it be Firefox we'd assume to be the majority browser too?

Let's think on this a minute, who would've stuck it through IE 4, 5, and 6? They're be few and far between users who went on to use 7 and 8 even though they are decidedly better than 4, 5, and 6.


"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki