|IE Zero-day Vulnerability Used in Google Attack|
Microsoft Warns of IE Zero-day Used in Google Attack [pcworld.com]
|A critical zero-day flaw in Internet Explorer was exploited as part of the attack on Google and other companies, according to both Microsoft and McAfee. |
The flaw allows for a Web-based attack against IE 6 SP 1 on Windows 2000, along with IE 7 and 8 on XP, Server 2003, Vista, Server 2008, Windows 7 and Windows Server 2008 R2. According to Microsoft's security advisory, the company has only seen active attacks against IE 6 so far.
Those attacks were part of the campaign against Google, Adobe and other major companies that sought to break into the Gmail accounts of Chinese human rights activists.
Chinese hackers used Microsoft browser to launch Google strike [guardian.co.uk]
|Microsoft has admitted that its Internet Explorer browser was the weak link used by hackers to attack Google's systems in China. |
The world's biggest software company today issued a security advisory and warned of a loophole that was used by Chinese hackers to attack dozens of US companies - the same attack that led Google on Tuesday to announce its plan to drop the censorship of its search engine in China.
This vulnerability exists in all versions of Internet Explorer (IE6 is however the only version which has been actively targeted) and remains unpatched by Microsoft - who have not ruled out an "out of cycle" patch rollout before the next scheduled patch date.
From Microsoft: Microsoft Security Advisory (979352) [microsoft.com]
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: January 14, 2010
|At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs. |
I'm a bit disturbed by this pile of corporate speak from Microsoft. It's not like this problem was low profile, or anything like that. Come on Redmond, get the lawyers back in their cage and give us some real communication and action -- please!
Microsoft look like they're been caught out by the turn of events, and were not in a position to effectively reply today. I assume they were aware of the issues but were keeping things under wraps since no patch is yet forthcoming. Google's announcement has blown the issue wide open.
There's a good write-up at the Register:
IE zero-day used in Chinese cyber assault on 34 firms [theregister.co.uk]
|Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday. |
The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.
McAfee Security Insights Blog » Blog Archive » Operation “Aurora” Hit Google, Others [siblog.mcafee.com]
So...Google EE's are using IE on windows? Not, say, whatever the latest OS/online sytems/chrome is that they're flogging to joe public?
What's that say?
They forgot to remind their employees to install the all mighty google pack?
Seriously, I doubt this really has anything to do with a IE 6 vulnerability. I'd be betting on some good old fashioned spying in their chinese offices. Whats to stop the govt from sending people in as employees? Cleaners... engineers... the govt has them.
^ yea exactly so we've got people at google running windows and unpatched IE6?
Since almost all computers are made in China and the vast majority of computers not assembled in China still contain parts made in China, what is to stop the Chinese government from inserting back doors or similar means into the hardware that they can then exploit later? It seems to me that the very fact we can't (as far as I can find) buy computers that do not have Chinese components in them is a national security threat.
|Since almost all computers are made in China and the vast majority of computers not assembled in China still contain parts made in China, what is to stop the Chinese government from inserting back doors or similar means into the hardware that they can then exploit later? It seems to me that the very fact we can't (as far as I can find) buy computers that do not have Chinese components in them is a national security threat. |
That was worth repeating. The hairs on my neck stood at attention after reading that statement. What's stopping them? < Rhetoric question. Off to find a computer made in the good ole U.S.A. I'll return once I find one. ;)
[edited by: pageoneresults at 3:46 pm (utc) on Jan. 15, 2010]
^ they do that.
back in the late 90s a backdoor was caught in a networking adapter.
To me, Google's announcement about maybe leaving China starts to make more and more sense. It seems that the Gmail hacking, the cyber attack on Google and Adobe, and Google's threat to leave China are all related. From Wired's article [wired.com]:
|iDefense, however, told Threat Level that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases. |
Basically, G might be angry at Chinese officials stealing of their IP.
PS: I just checked, and the results on google.cn appear to be censored again.
at what point will IE6 be classified as malware?
Are Mac/Apple computers also made in China?
All computers without exception contain components made in China, and a significant proportion are manufactured there in their entirety - this includes many Apple products. Go look for the Made in China label :)
Note that several news outlets are now confirming that exploit code for this vulnerability is publicly available. IE8 in protected mode (which should be enabled by default) is not affected, but earlier versions are. If you have to run IE, then use IE8 - otherwise use Firefox, Safari or Opera instead at least until Microsoft produces a patch.
If what I've read is correct Apple/Mac are almost exclusively made in China/Taiwan.
<back on topic>
Regardless of whether you use IE, you should still install the latest version. Depending on the version of Window's you're using IE can be deeply integrated into more than just the browser.
anytime a new version or patch comes out grab it ASAP.
im still confused as to why IE6 is used inside google china.
IE6 only? not very likely.
It's just as likely that IE6 isn't capable of leaving you vulnerable but IE7 onwards do (intentionally, big brother much watch afterall).
IE should be avoided in all variations, entire countries (Germany) and major search engines (Google) have spoken.
IE gives me the distinct impression of a runaway train at this point, as if nobody is in control (or perhaps too many people are).