Feeds

MS knew of Aurora exploit four months before Google attacks

China light on the matter

Remote control for virtualized desktops

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged.

Redmond's security gnomes finally got around to patching the exploit on Thursday. Microsoft's advisory accompanying its cumulative update for IE credited Meron Sellem of Israeli firm BugSec for reporting the HTML Object Memory Corruption Vulnerability (CVE-2010-0249), the zero-day vulnerability used in the now infamous attacks.

BugSec's bulletin states that it reported the bug to the software giant on 26 August. The bug affected IE 6, IE 7 and IE 8 (the latest version), but the hack attacks against Google et al targeted IE 6, a browser first released in 2001. Exploits involved tricking users of vulnerable browsers into visiting booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and other malicious components onto compromised PCs.

ThreatPost, a Kaspersky Labs news service, reports that a patch against the flaw was lined up for release in February. It was published early in response to the row that followed Google's surprise admission last week, that the bug was being exploited in cyber-espionage attacks targeting it and other hi-tech firms.

Software vendors in general often take months to develop security fixes, a process that often involves a great deal of testing work. An unfortunate set of events meant that this particular bug became one of the most infamous in years. Even now we know the details, the future potency of the bug is far from immediately apparent.

A quick search of Secunia's database, via its PSI patching tool, reveals a problem with an unpatched ActiveX control that looks just as bad, for example.

More discussion on whether Microsoft's patch was tardy or not, and the role of the vulnerability in the Operation Aurora attacks (it may not have been the only vector), can be found in a blog entry by Graham Cluley of Sophos here. ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.