Feeds

IE zero-day used in Chinese cyber assault on 34 firms

Operation Aurora unveiled

  • alert
  • submit to reddit

Remote control for virtualized desktops

Updated Hackers who breached the defenses of Google, Adobe Systems and at least 32 other companies used a potent vulnerability in all versions of Internet Explorer to carry out at least some of the attacks, researchers from McAfee said Thursday.

The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks, McAfee CTO George Kurtz wrote in a blog post. Using a sophisticated spear-phishing campaign, the perpetrators included malicious links exploiting the bug in emails and instant messages sent to employees from at least three of the targeted companies.

Contrary to previous speculation, there was no evidence vulnerabilities in Adobe's Reader or Acrobat applications were used in any of the attacks, Kurtz said. In its own statement, adobe concurred, saying researchers "have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident."

Kurtz said his findings were based on malware samples taken from "three to five" of the targeted companies and he stressed that other zero days or exploits could have been used against other victims.

"In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer," Kurtz wrote. "Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions.

McAfee's report is the latest to shed light on one of the most significant cyberattacks in years. Google first disclosed the "highly sophisticated and targeted attack" on Tuesday, saying it originated in China and targeted its intellectual property. It added that 20 other companies suffered similar assaults, a number that independent researchers soon raised to 34. So far, only Google and Adobe have been identified as victims.

Yahoo, Symantec, Northrop Grumman and Dow Chemical have also been penetrated according to The Washington Post, citing unnamed "congressional and industry sources."

The malware that McAfee researchers analyzed was sent to a highly select group of employees of a handful of companies that Kurtz declined to identify.

"This wasn't something that got blasted to 300,000 people in a corporation," Kurtz said in an interview with The Register. "It was really targeted at senior technology leaders that had access to core pieces of intellectual property, source code, et cetera."

Kurtz has dubbed the attack "Aurora," a reference to the filepath on the attacker's machine that showed up in some of the malware code McAfee researchers analyzed. They believe that is the name the attackers gave to the operation. There was nothing in the binaries that indicated either way whether the code writers spoke Cantonese or Mandarin or were located in China.

The IE vulnerability stems from an invalid pointer reference that when exploited allows an attacker to execute malicious shell code on underlying machines. The malware caused exploited machines to download further malicious scripts that installed a backdoor. The machines then connected to command and control channels that were hosted on servers that resided in the US and Taiwan.

A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn't say when an update would be released that patches the vulnerability. ®

This article was updated throughout to add additional details from Kurtz, Microsoft and Adobe.

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.