Recent attacks on Google exploited previously unknown hole in IE
According to an initial analysis by anti-virus vendor McAfee, the recent Chinese attacks on Google and other US companies probably exploited a previously unknown hole in Internet Explorer. Versions 6, 7 and 8 of the browser contain the hole which can be exploited to inject and execute code on Windows computers via specially crafted web pages. The attackers apparently used the flaw to inject a trojan downloader into compromised computers. The downloader then proceeded to retrieve further modules, including a back door that gave the attackers remote access to the computer, from a server via an SSL-encrypted connection. Links to the crafted web pages were likely sent in emails to selected employees of the targeted firms.
Having evaluated the data collected during malware analysis, McAfee believes that the authors used the code name "Aurora" for the attack that targeted Google, Adobe and dozens of other US companies probably including Yahoo, Symantec, Juniper Networks, Northrop Grumman and Dow Chemical. Aurora appears in the path names included in the malware binaries. The initial speculation was that specially crafted PDF files were used for the targeted attacks – in the past two years, PDFs have been a popular choice for attacks originating in China. The most recent campaign of a similar scale (Ghostnet) was discovered when foreign governments were attacked in March 2009.
While the new attacks don't come as a surprise, it is astonishing how many companies were compromised. After all, in September of 2009, the US Government warned that China's growing cyber espionage activities were becoming increasingly sophisticated and successful. The now publicised attacks are said to have taken place between mid-December and early January. It seems the attackers took advantage of the fact that many employees were likely to be on holiday during that time.
Microsoft has officially confirmed the hole in IE and is working on a security update which could even be released as an out-of-cycle "emergency patch". The advisory states that, while the hole affects versions 6, 7 and 8, the current attacks only appear to have targeted version 6 – which raises a question as to how current the affected companies' software inventory is.
Until an update has become available, Microsoft recommends setting the security level for the internet and the local intranet to "high". Since the current exploit uses JavaScript, disabling JavaScript can also be used as a workaround. In addition, Microsoft recommends that users enable Data Execution Prevention (DEP). As Internet Explorer runs in protected mode in versions 7 and 8 on Vista and later systems, the impact of the vulnerability is reportedly limited in these versions. All in all, it appears that XP users who run Internet Explorer 6 are most vulnerable. No public exploit of the flaw is currently available.
See also:
- Google considers closing its Chinese operation, a report from The H.
- US report: China is expanding its corporate cyber espionage, a report from The H.
- Infiltrated Chinese software spies on Tibetan government in exile's computers, a report from The H.
- F-Secure advises against using Adobe Reader, a report from The H.
(crve)