Welcome to WebmasterWorld Guest from 54.196.232.162

Forum Moderators: incrediBILL

Message Too Old, No Replies

IE Zero-day Vulnerability Used in Google Attack

     
2:15 am on Jan 15, 2010 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


Microsoft Warns of IE Zero-day Used in Google Attack [pcworld.com]

A critical zero-day flaw in Internet Explorer was exploited as part of the attack on Google and other companies, according to both Microsoft and McAfee.

The flaw allows for a Web-based attack against IE 6 SP 1 on Windows 2000, along with IE 7 and 8 on XP, Server 2003, Vista, Server 2008, Windows 7 and Windows Server 2008 R2. According to Microsoft's security advisory, the company has only seen active attacks against IE 6 so far.

Those attacks were part of the campaign against Google, Adobe and other major companies that sought to break into the Gmail accounts of Chinese human rights activists.

Chinese hackers used Microsoft browser to launch Google strike [guardian.co.uk]

Microsoft has admitted that its Internet Explorer browser was the weak link used by hackers to attack Google's systems in China.

The world's biggest software company today issued a security advisory and warned of a loophole that was used by Chinese hackers to attack dozens of US companies - the same attack that led Google on Tuesday to announce its plan to drop the censorship of its search engine in China.

This vulnerability exists in all versions of Internet Explorer (IE6 is however the only version which has been actively targeted) and remains unpatched by Microsoft - who have not ruled out an "out of cycle" patch rollout before the next scheduled patch date.

From Microsoft: Microsoft Security Advisory (979352) [microsoft.com]
Vulnerability in Internet Explorer Could Allow Remote Code Execution
Published: January 14, 2010

At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
2:20 am on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
posts: 37301
votes: 0


I'm a bit disturbed by this pile of corporate speak from Microsoft. It's not like this problem was low profile, or anything like that. Come on Redmond, get the lawyers back in their cage and give us some real communication and action -- please!
2:37 am on Jan 15, 2010 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


Microsoft look like they're been caught out by the turn of events, and were not in a position to effectively reply today. I assume they were aware of the issues but were keeping things under wraps since no patch is yet forthcoming. Google's announcement has blown the issue wide open.

There's a good write-up at the Register:
IE zero-day used in Chinese cyber assault on 34 firms [theregister.co.uk]

Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.
11:15 am on Jan 15, 2010 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10544
votes: 8

2:19 pm on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5063
votes: 11


So...Google EE's are using IE on windows? Not, say, whatever the latest OS/online sytems/chrome is that they're flogging to joe public?

What's that say?

3:04 pm on Jan 15, 2010 (gmt 0)

Senior Member from HK 

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 14, 2002
posts:2283
votes: 10



What's that say?

They forgot to remind their employees to install the all mighty google pack?

Seriously, I doubt this really has anything to do with a IE 6 vulnerability. I'd be betting on some good old fashioned spying in their chinese offices. Whats to stop the govt from sending people in as employees? Cleaners... engineers... the govt has them.

3:04 pm on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 30, 2006
posts:1599
votes: 1


^ yea exactly so we've got people at google running windows and unpatched IE6?
3:12 pm on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 24, 2003
posts: 729
votes: 0


Since almost all computers are made in China and the vast majority of computers not assembled in China still contain parts made in China, what is to stop the Chinese government from inserting back doors or similar means into the hardware that they can then exploit later? It seems to me that the very fact we can't (as far as I can find) buy computers that do not have Chinese components in them is a national security threat.
3:29 pm on Jan 15, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member pageoneresults is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 27, 2001
posts: 12166
votes: 51


Since almost all computers are made in China and the vast majority of computers not assembled in China still contain parts made in China, what is to stop the Chinese government from inserting back doors or similar means into the hardware that they can then exploit later? It seems to me that the very fact we can't (as far as I can find) buy computers that do not have Chinese components in them is a national security threat.

That was worth repeating. The hairs on my neck stood at attention after reading that statement. What's stopping them? < Rhetoric question. Off to find a computer made in the good ole U.S.A. I'll return once I find one. ;)

[edited by: pageoneresults at 3:46 pm (utc) on Jan. 15, 2010]

3:30 pm on Jan 15, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 30, 2006
posts:1599
votes: 1


^ they do that.

back in the late 90s a backdoor was caught in a networking adapter.

6:53 pm on Jan 15, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 11, 2004
posts:582
votes: 0


To me, Google's announcement about maybe leaving China starts to make more and more sense. It seems that the Gmail hacking, the cyber attack on Google and Adobe, and Google's threat to leave China are all related. From Wired's article [wired.com]:

iDefense, however, told Threat Level that the attackers were targeting source-code repositories of many of the companies and succeeded in reaching their target in many cases.

Basically, G might be angry at Chinese officials stealing of their IP.

PS: I just checked, and the results on google.cn appear to be censored again.

4:10 pm on Jan 16, 2010 (gmt 0)

Preferred Member from GB 

5+ Year Member

joined:Sept 29, 2009
posts:437
votes: 13


at what point will IE6 be classified as malware?
2:18 am on Jan 17, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 4, 2002
posts:1785
votes: 2


Are Mac/Apple computers also made in China?
2:31 am on Jan 17, 2010 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts:9063
votes: 2


All computers without exception contain components made in China, and a significant proportion are manufactured there in their entirety - this includes many Apple products. Go look for the Made in China label :)

Note that several news outlets are now confirming that exploit code for this vulnerability is publicly available. IE8 in protected mode (which should be enabled by default) is not affected, but earlier versions are. If you have to run IE, then use IE8 - otherwise use Firefox, Safari or Opera instead at least until Microsoft produces a patch.

2:47 am on Jan 17, 2010 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14487
votes: 49


If what I've read is correct Apple/Mac are almost exclusively made in China/Taiwan.



<back on topic>
Regardless of whether you use IE, you should still install the latest version. Depending on the version of Window's you're using IE can be deeply integrated into more than just the browser.
11:53 pm on Jan 17, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 30, 2006
posts:1599
votes: 1


correct.
anytime a new version or patch comes out grab it ASAP.

im still confused as to why IE6 is used inside google china.

9:37 am on Jan 18, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:July 29, 2007
posts:1544
votes: 10


IE6 only? not very likely.

It's just as likely that IE6 isn't capable of leaving you vulnerable but IE7 onwards do (intentionally, big brother much watch afterall).

IE should be avoided in all variations, entire countries (Germany) and major search engines (Google) have spoken.

IE gives me the distinct impression of a runaway train at this point, as if nobody is in control (or perhaps too many people are).