back to article IE zero-day used in Chinese cyber assault on 34 firms

Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday. The previously unknown flaw in the IE browser was probably just one of the vectors used in …

COMMENTS

This topic is closed for new posts.
  1. Disco-Legend-Zeke

    Flip the switch.

    Let's just take China off the Internet.

    It's not as if we would be missing any great pr0n or anything.

    1. Mike Flugennock
      Thumb Up

      Seriously...

      ...I don't get a huge amount of email from China -- or from the rest of Asia, for that matter -- but any email I _have_ gotten from there has _always_ been spam. I long ago reached the point where I've set my filters to automatically shit-can anything from China, Taiwan, Hong Kong or Japan -- or anyplace else with a non-Roman character set, for that matter.

      I'm on the editorial board of the Indymedia site in my city (Washington DC), and we've just finished cleaning up the mess from a massive spam flood from China, and for the millionth time, I've suggested to the resident geeks that we just block anything from Asia, or with non-Roman character sets, but the more militant PC types still give me grief about it. It's not "inclusive", they say, or some shit like that, while totally ignoring the fact that every post we've gotten with Asian or other non-Roman character sets has either been dating-site spam (Asian) or been packing a malware payload (Russian, usually in the form of a .pdf file).

      1. Anonymous Coward
        Thumb Down

        Har

        Oh the irony of Indymedia trying to censor...

        1. Anonymous Coward
          Anonymous Coward

          Re Har Irony

          Not to mention the unsurprising stupdity of someone conflating the prevention of spam and censorship.

          1. Anonymous Coward
            Anonymous Coward

            Re Re Har Irony

            "I've suggested to the resident geeks that we just block anything from Asia, or with non-Roman character sets,"

            Sounds like more than just spam to me, namely anything

    2. Ken Hagan Gold badge

      Says who?

      Who's "we"? For the major network operators to "flip the switch" would cause a major shitstorm.

      On the other hand, it strikes me as an absolutely fabulous idea for individual users to be able to say to their PC (or ISP) "I don't want to accept any email from outside my own country, I don't want to visit any web-sites from outside my own whitelist of trusted countries, and I don't want to use encrypted links to anywhere outside my own legal jurisdiction.". It's a pity that IP address allocation makes it quite difficult to do that, but perhaps it can be arranged that IPv6 has an address space more closely aligned to political and legal boundaries.

    3. Anonymous Coward
      Black Helicopters

      Let's just take China off the Internet?

      Not that it'd make much difference, have you seen how many chinese s-too-dense are studying computer science in the UK... Biggest income source for some universities, where they teach them coding and hacking skills...

  2. Matthew Anderson
    Grenade

    So..

    Contrary to reports that this was just a brute force attack where malware was being installed on peoples systems through fairly mundane methods; it was actually a relatively sophisticated attack coming from competent coders who probably have an array of 0day vulns they found themselves and are keeping for a rainy day.

    Juicy but probably not all that juicy. Depends whether they were only targeting human rights activists (the mundane) or if they were targeting organisations for the theft of data which could prove valuable to the Chinese Government, which by the tone of this article, they were. mmMmm yummy.

    Of course - not something we here in the UK or those there in the USA would ever do, nonono. In the same way that our soldiers are perfect and do not beat up, molest and kill POW's (terrorists?) hah. Pot calling kettle black really. They are all at it. Cheeky beggers. Now, where did I put that 0day? :-D

  3. the midtoad

    IE?

    What, the employees of Google in China were using the Microsoft IE browser instead of their own Google Chrome browser? The horror, the horror!

  4. N2

    Fools

    34 companies use Internet Explorer?

    Fools

  5. Destroy All Monsters Silver badge
    Black Helicopters

    Finally something somewhat Gibsonesque

    "There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China."

    So, why is it a "Chinese cyber assault". Could as well be Israeli.

    1. url
      Black Helicopters

      Post anonymously?

      The C&C IP addresses were only 6 IP's apart from a previous attack and are known to be used by Chinese state or proxies of chinese state.

    2. Anonymous Coward
      Alert

      I think it was the Welsh.

      They've been quiet. Too quiet....

  6. Mr Blonde
    FAIL

    Colour me surpised

    A Serious Security Breach involving Microsoft Internet Explorer? Tell me it isn't so!

    What were the Wee Wille Wonkers doing at the Chocolate Factory? Not eating their own dog-food one must presume.

  7. Adrian Esdaile
    Coat

    Eh? IE? At Google? I smell fish...

    OK, Yahoo, Northrop Grumman I can understand... but Google?

    Why was anyone at Google using IE outside a testing environment? Isn't that why they developed Chrome?

    Or was the attack of the "click here for hot chinese babes" style and sent to senior managers only? Assuming of course that senior managers are just as pointy-haired at Google as everywhere else.

    Mines the one with the soup stirrer in the pocket....

  8. clod computing is big

    corporate secrets =/= using IE

    Sure, opera/firefox/etc are unlikely to be entirely free of current or future exploitable weaknesses, but even adjusting for market share, they seem far lower risk as far as exploits go.

    Seriously folks - any modern company with secrets to manage with a CIO who allows anyone on one of their laptops or on their internal networks to use internet explorer 6, or for that matter, any other version needs a new CIO? This is just getting silly.

    1. Anonymous Coward
      Anonymous Coward

      Management != Intelligent

      Unfortunately the management of most of the companies thinks the Sun shines out of the orifice which is Microsoft. Microsoft can do no wrong and they will release a fix for their problems. There is an attitude "You will not fired for buying Microsoft", it used to be "You will not get fired for buying IBM" in the 1970s and 1980s.

      Companies should declare their IT infrastructure platform details as part of the Financial submission in published accounts ie

      Server platform breakdown

      Windows Server 80%

      Solaris server 10%

      Linux server 10%

      Desktop platform breakdown

      Windows desktop 98%

      Linux 1%

      Others 1%

      Then you take your money out of business that are more than 40% Microsoft based

  9. heyrick Silver badge
    Grenade

    Mmmm...

    If you look up Norton's range of anti-virus, anti-spam, anti-rootkit, we're-so-damn-safe software, you'll see a reference to:

    December 2008 Yahoo! Tech: Antivirus recommended: In defense of Norton

    So that explains why Symantec and Yahoo are on the list, then.

    Can't believe Google got hacked. What, is their _OWN_ browser not good enough for them? Is there something _WE_ should know if Google bods are using MSIE instead of Chrome?

  10. Captain DaFt
    Gates Horns

    You people are forgetting...

    That way back when MS released IE6, they announced that it was the final form of the web browser. Not just the final form of IE, but the very concept of web browser. (Will now pause until the laughter dies down)

    Unfortunately, the PHBs in charge of most companies believe what their highly paid consultants tell them (Guess who THEY worked for), plus what they read in the Better Business for Billionaires trade magazines (And guess who THEY listened to).

    So the word went down from corporate high, and all internal and external business apps of most big businesses were hard-wired to work only with IE6, and then the coders were let go.

    Years later, the businesses are still using those now mission critical apps, and can't drop IE6 without a costly major revamping of the infrastructure. So they stay with IE6, and trust Redmond to keep them safe. (Mixed gasps of horror and gales of derisive laughter)

    1. Anonymous Coward
      Anonymous Coward

      I still don't believe

      anyone who tells me their mission critical intranet apps would never work on anything other than IE6. Later versions of IE even have a compatibility mode, or so I hear, so there is truly no excuse. The least they could do is lock IE6 down to use a proxy that allows nothing but intranet access, and use a real browser for the internet. Trivially easy to do, but don't hold your breath waiting for it to happen.

      I just assume the IT bods are too lazy to have even tested it on anything else. After all, why spend an afternoon doing some work when you can play Tetris instead?

      You can act offended, but what IT department have you worked for that will actually do something to solve a problem that doesn't effect them. They're all using FireFox anyway, so who cares right?

      1. Anonymous Coward
        Anonymous Coward

        There speaks someone who hasn't done much web development

        It's not about IT bods, it's about what you're permitted to do.

        The most probable scenario is that the users, testers, sysadmins and developers are fully aware that the app does not work in later versions of IE or firefox.

        This is highlighted to management. Management refuse based on the fact 'it's currently working' and there are other priorities. Developers can't be bothered doing the modifications in their own time, and are not enthused by the lack of vision by management.

        Given a choice between something that will not be appreciated or earn you extra money (in fact something that could *lose* you money, next annual review time) and having to confront someone to fix the app, it's understandable why Tetris might be chosen.

      2. Nexox Enigma

        IE6 will never die

        """I still don't believe anyone who tells me their mission critical intranet apps would never work on anything other than IE6."""

        I used to work at a rather large company, one which fancies itself to have quite the cutting edge IT 'system' or whatever they called it. What that boiled down to was multiple groups of people, separated by time, space, and management, each developing some essential software - asset tracking, training, certification, shipping, document distribution, data centralization, and who knows what else. Anyway they're all coded differently and insanely, and the only thing they have in common is pretty much the use of ActiveX.

        Some of those apps did work in IE7 (8 wasn't out before the company and I departed ways,) but for a few it was absolutely necessary to use IE6. Then again there were some web apps that wouldn't even try to load in IE, so I had to have Firefox on my work machine too. And since I don't like using FF or IE if I don't have to, I had Opera as well.

        The software that actually generated us revenue, which was run constantly to acquire data was originally coded for Solaris 8, but was ported to run on WinXP in an X server, with all the standard Solaris 8 look and feel that we have come to love.

        Also I'd like to offer a further edit to the article:

        """Kurtz has dubbed the attack "Aurora" """ ...because it sounds fucking cool.

  11. Mikel
    Happy

    IE on the client side, not at google

    An unpublished exploit in IE? Say it ain't so, Steve.

    Maybe Google should just deprecate IE support - or gradually make it slower. Nah, Google wouldn't pull a low down dirty trick like that.

    1. heyrick Silver badge

      No title, this is a reply.

      Google wouldn't deprecate IE support, it would surely affect their advertising possibilities.

      As for making it slower... what, slower than IE already is? Think anybody would notice?

  12. Anonymous Coward
    Badgers

    On a diferent note...

    The article states that browser level DEP would have worked as a minor deterrent in this case. I'd be interested to know how well the OS/hardware level version would have worked as well. Would the workaround still be possible?

    Badgers, cause I don't want any of those little critters scurring around inside my computer either.

  13. Tim99 Silver badge
    Badgers

    Browsers?

    For goodness sake, just mandate that senior people (and all "Managers") must use Lynx.

    It would at least cut down some of the rubbish out there...

  14. Anonymous Coward
    WTF?

    Hold on!

    I'm as ready to have a pop at MS as the next person, but at some stage there must have been some muppet, who should have known better, who clicked on a link and started the ball rolling in each of these corps!

    When they find these muppets it should be, "You are the weakest link, goodbye!".

    1. Doug Glass
      Go

      Prelude To Termination

      Sterilization.

    2. Anonymous Coward
      Black Helicopters

      Weakest Link (re: Hold on!)

      I think these attacks are not of the 'Free pr0n!!!! Click me!!!" types, but rather individually crafted mails that appear genuine.

    3. BristolBachelor Gold badge
      Stop

      "Click here to infect your computer"

      Funny thing is, I've never seen a link that says "click here to infect your computer".

      Does the fact that ANY link could be used to infect your computer means that you should NEVER EVER click on any link?

      When you read a page with a headline saying that your competitor have announced that they have released something that will kill your company, you don't click the link to see what the story says? Because websites are never compromised. No-one has ever managed to change the content of a respectable web site, have they?

      Add on to that the fact that MS software is just a massive orgy. Every piece of their software uses parts from all the others. I don't know how many MS apps I've got that fire-up parts of IE in the background to do things. I've even got apps from other companies that fire-up IE to open a pdf file inside a window in the app.

      So, I admit it, I am a muppet. I click on links (it's how I got here). I use MS software, and other companies software. It makes me a muppet, I should just go back to my abacus.

    4. Al fazed
      Happy

      IT savvy muppets

      from a different story in today's Register, a Law firm suffered a similar attack, "Attorneys at ........ began receiving trojan-laced emails made to appear as if they were sent by other members of the firm"

      Lynx is not the only way.

      Mandate that all eMails are received and sent in text only format.

      Just say no to reading/sending HTML messages.

      ALF

      1. Number6

        Definitely no HTML

        My mail server bounces email with an HTML section. It's a security risk and even though I run Linux, I'd still prefer to know what's happening.

    5. Pablo

      Hold on to what?

      I wouldn't be too hard on them, if these were targeted attacks then we're not talking about the typical "Warming! There is a problem of your account. Please clicker here so we can be conferming your information. You account may be terminated!" phishing emails.

      If an attacker is willing to put some time into it, I don't think it would be that hard to create an email convincing enough to fool all but the most paranoid. It needn't be a hit-and-run either. They could exchange a few apparently legitimate and relevant messages to build up trust first. I'm only speculating, but from everything we've heard they're much more sophisticated than the average phishing scam.

  15. Tom 7
    FAIL

    MS::real world interface fail

    NT

  16. Hayden Clark Silver badge
    Badgers

    technology leaders != techies

    Otherwise, what were "senior technology leaders that had access to core pieces of intellectual property, source code" be doing running IE?

  17. Anonymous Coward
    WTF?

    Admin rights

    Tut tut users should not be allowed to run with admin rights this would of prevented the attack. Not to mention training these 'high' up staff NOT to open any old attachement.

  18. amanfromMars 1 Silver badge
    Grenade

    And in a Variation on Publicly Unknown ZerodDay Vulnerability Exploit BetaTesting ....

    "In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer," Kurtz wrote. "Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

    Err, all the best exploits of a vulnerability in any System, are always privately known and carefully discussed with publicity unwelcome for there is always the matter of Danegeld to be paid in order to ensure that the vulnerability does not morph into an attack vector because of non-payment of the insurance premiums, which would be the Danegeld, which would have allowed the exploit policed by those who would have discovered it, able to advise and build defences around it to deflect away anyone else who would also stumble upon/suddenly realise the fundamental flaw which might be, in the holiest grail of holy grails of exploit search and destroy missions, the unpatchable vulnerability which will always require Danegeld Policing ..... as opposed to Random Beautifully Exorbitant Ransom Demands, which if not Regularly Paid to Unscrupulous and/or Rightly Aggrieved Souls, will Lead to Systems Total Collapse rather than Total Systems FailSafeGuard.

    For as sure as Eggs are Eggs, anything which can be found once, and is not patched and policed against further discovery with a misleading false trail deflecting interest and attention elsewhere to nowhere vulnerable, will be easily found again and maybe definitely probably certainly more ruthlessly exploited to create Collapse with no possibility of Preventative Measures with Insurance Payments to Assure against the Devastation.

    Find those Flaws and Vulnerabilities in a System and you will be in Key and NEUKlearer Trigger Command and Control of the System and those who would presume themselves to be in Control of its Powers ..... Remotely and Virtually. And in a Position to Dictate Terms and Conditions if your New Rights to such a Position are Abused or Doubted rather than Recognised and Rewarded.

    It is a Well Known Fact, even in the World of the Unknown, that the Best Gamekeepers are Expert Poachers ...... the Best Cops, Smarter Crooks ...... the Best Spies, Excellent Actors ..... the Greatest Programmers , Cracking Code Hackers?

  19. Pigeon

    yebut

    The bods in Sales and Accounts, and many tech types will consider it onerous to be forced to use desktop tools which differ from the ones on their home computers or laptops. Security will not be a primary concern. I once read that Scott McNealy said all his staff use non M$ software, but I take that with a pinch of NaCl.

    I understand how onerous it is, after spending dreary days being forced to write Word documents, usually by using other peoples docs as templates, and overwriting the text. IE infuriated me. It's different! I can't cope!

    A major part of 'data processing' is now involved in converting relational datasets into corruptible spreadsheets. A company's accounts is a spreadsheet now, whatever the techies might think. So there will be an awful lot of company secrets on machines with IE.

  20. Darren Mansell
    WTF?

    OS Choice

    TBH, it's not the fact that it was IE that shocked, it's that people in Google are using Windows. I really don't see any need for them to be using it at all? They won't be using Exchange and I doubt they have their whole documentation library in Word format with lots of dodgy macros so why wouldn't they all be using something like Ubuntu?

    1. Volker Hett

      OS Choice

      even Google has to test it's offerings with the most used plattform. Nobody would use gmail, earth, picasa whatever if it wouldn't work with Windows.

  21. Patrick O'Reilly
    Linux

    Others

    And just how many of Google's Ubuntu powered machines were compromised?

  22. Daniel 1

    From my reading, the attack targeted developers

    "It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera."

    The 'sophistication' of the attack, here, seems to be at a Social Engineering level, rather than a technical one: knowing who to hit. So, yes, the targeted individuals may well have had IE6 on their computers (or, at least, *a* computer, that they had access to, sitting fairly deep inside the corporate network) - maybe as a multiple-IE install, on a virtual box, or via their own internal version of that sort of theme (indeed, the 'undocumented vulnerability' may only exist when you run IE 6 in that context, who knows, at this stage?).

    Google developers generally use (or used - back when I knew these things with more certainty than I do, now) Linux laptops - typically high spec Latitudes - and are believed to use Konqueror, quite a lot (Google employees have been known to forward Google links to external recipients, where you can see, from the URL, that Google has, itself, misidentified Konqueror as "Safari" running on 64 bit Linux), but they will have had access to some sort of machine running IE 6: it's their job to do so.

    If, as a developer, you got an email that appeared to be from a legitimate source, that explicitly asked you to take a look at something *in* IE 6, you might fire up a test machine or virtual box, load up IE 6 and hit the link. You might notice something was amiss, at this stage, because of the way your hard drive began thrashing like a washing machine, or the fact that your network card lit up like Christmas, but by then the exploit is running - albeit, perhaps, in some sort of memory sandbox.

    It really is starting to sound like it was a question of who was hit, and how they were hit, that led to such an unequivocal response from Google.

  23. Anonymous Coward
    Anonymous Coward

    wait

    So appart from a bit of circumstantial evidence (IP Addresses sources?) there is nothing to indicate that these attacks are launched by the Chinese government? The US Government? Russian Hackers? American Hackers?

    I don't buy this, but it looks like it's gone the way of swine flu. Keep milking it reg keep milking...

  24. AlistairJ
    FAIL

    Its not the CEO's at fault

    Very few top-level execs either have a laptop older than 18 months, or regular access to real important stuff like code, papers etc. No, this is down to poor IT practices and regular employees like you and me. Oh the humility.

    Personally I would vote for Piers Morgan in the top job at Microsoft. That really would be the icing on the cake.

  25. amanfromMars 1 Silver badge
    Pirate

    Well, I never ..... Celts and Vikings Tasking Masking Trojans for In Cloud Configuration?

    Hmmmm ?! It is quite spooky to watch the excellent FSecure YouTube video, "Targeted Attacks", hosted on El Reg here.... http://www.theregister.co.uk/2010/01/14/google_china_attack_analysis/ .... which advises on the same or a very similar likely targeted attack mindset scenario and progression as was shared in the earlier HyperRadioProActive post here, on this thread ..... "And in a Variation on Publicly Unknown ZerodDay Vulnerability Exploit BetaTesting ....", Posted Friday 15th January 2010 07:37 GMT [although there is, since El Reg changed the message board format , an obfuscating time differential between the time a post is submitted for display publication and the time shown should it appear in the subsequent discussion/threaded response, which suggests a later posting time because of .....??? Server Message Blocks/Snoop Activity/Active Positive Vetting/Nothing Sinister Actually, and with some delays in Moderation as to effectively Neuter some Hot Topics, which is a Shame in Registered AIdDynamically Frenetic Great Global Games?]

    Certainly the latter half segments of both presentations are in Virtual Sync. and the almost identical analogous use of hobbyist, criminals and spies in the presentations would be unusually at one with each other?

  26. Robert Carnegie Silver badge

    Chrome has an MSIE version

    Remember that you can install Google Chrome as a plugin in Internet Explorer. So developers have that reason to run MSIE, to test it on the web.

    Since Chinese people can't say the letter R, I think it's unlikely that they called their hacking project Aurora. It would be like sharing an office with a hundred stammering Jonathan Rosses. After two weeks of getting no work done, they'd surely change the name to Opewation Four Poofs. (Of course, some readers won't know what this has to do with Jonathan Ross, or who he is.)

  27. The Fuzzy Wotnot
    WTF?

    F**king MS!

    MS spokesperson said:

    "Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity."

    WTF?!?!

    NO! It's bloody scary, not unfortunate! Unfortunate is if you trip over something while not paying attention. A piece of software, that is in use by millions, that has years of history, allows the entire O/S to be compromised, that's negligence bordering on criminal.

  28. Neal 5

    Oh my,oh my, oh my

    Vulnerability that affects all version of Windows inc. 7

    I'm sure you're right Dan, I can't be bothered to argue.

    Just tell me please, how the fuck am I going to get IE 6 on any of my versions of Win 7, which comes with IE 8 as standard part of the system, or to add to that count, how the fuck am I going to get IE 6, on any of my Vista versions which come with IE 7 as standard and integral part of the OS.

    Not that I'm a leading technology officer at any major recently hacked leading Technology company.

    So I'd have to go some to intently downgrade my IE to a sub standard version in the first place, but then like I said, I'm not a leading technology officer in a leading recently hacked technology company, or anything.

    1. Volker Hett

      Better downgrade to IE 5.01

      Since this is the only version known to be unaffected, somewhere in the basement must be an old iMac running OS9 and IE 5, might be just right for those who can't live without IE :)

  29. Parax
    Alert

    Aurora?

    I'd really lol if it was Mckinnon again...

  30. GettinSadda

    Targetted attacks

    It is really difficult, almost impossible really, to prevent even a careful user becoming the victim of an intelligently targeted attack.

    If your target is a senior person in a tech company things like the following may work:

    * Discover that the target is a member of a group that test interoperability of code from different suppliers (such as a GMail senior tech meeting with various browser manufacturers on a regular basis)

    * Get access to minutes of meetings of the group or other internal documents that are unlikely to be highly protected via easier hacking (if you are lucky you may even find the info you need in public documents)

    * Craft an e-mail forged to be from a person in the group to the target - if you have found enough nice info this will be able to be a really specific e-mail that could sound so plausible that the target will not think twice.

    Example message:

    "Hi Dave,

    Remember that rendering bug that I mentioned last November for inlined-PNGs? One of our outsourced developers has found something else similar. The easiest way to see this is action is to view the example they have set up directly on their test machine at http://123.45.67.89/gmail-test/renderbug.html

    Brian"

    If you think the IP address may scare them off just direct them to "internal.opera-dev.com" or some such, or even "I have a copy on my home machine at brian-smith.dyndns.org"

  31. Gordon 10
    Coffee/keyboard

    LinkedIn?

    What's the betting that just by skulking about on linked in for a while any hacker would be able to harvest enough job related data on a target companies senior developers to craft a reasonably believable social engineering attack?

    I find it hard to believe they targeted cio's looking for source code. Financial docs yes - source code not a chance.

  32. Version 1.0 Silver badge
    FAIL

    Curious

    It's interesting that the same vulnerability exists in so many versions of IE - I think it's reasonable to ask just how much code in the current version dates has never been re-written or checked since MS introduced the wonders of scripting to the world.

    It's not like we're all standing around going, "There's a vulnerability in scripts? I can't believe it!" ... so it's probably reasonable to expect that where one bug exists ... there will be more - and if the code was written back in the days when VB was seen as a blessing and hasn't been examined since...

This topic is closed for new posts.