07:20 PM
Connect Directly

Attackers Employed IE Zero-Day Against Google, Others

Microsoft issues workaround for the attack; McAfee christens the Chinese hacks 'Aurora'

Attackers used a zero-day vulnerability in Internet Explorer in their targeted attacks against Google and other companies' networks -- and Microsoft today responded with an advisory that helps mitigate attacks that exploit this previously unknown flaw.

Microsoft says the flaw in IE, which allows for remote code execution attacks on a victim's machine, was one of the attack vectors used in the wave of attacks, and, so far, it's only being used against IE 6 browsers. The attack occurs when a user visits a malicious or infected Website by clicking on a link within an email or instant message, and it also could be set to attack via banner ads, according to Microsoft.

The affected versions of the browser are IE 6 Service Pack 1 running on Microsoft Windows 2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update, and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band," blogged Mike Reavey, director of the Microsoft Security Response Center.

For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE, and setting Internet security zone security settings to "high" as ways to protect against this attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the browser. A patch could be in the works as well, according to Microsoft.

And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora. McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the internal name the attackers gave the operation -- it comes from the name they used for the directory in which their source code resided.

Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it could be written to work "reasonably" on IE 7 and IE 8 XP. The flaw itself is a so-called dangling pointer bug, which is typically stopped by the DEP feature in IE, he says. "However, there are known ways around DEP on XP," he says.

McAfee -- which says it was not one of the victims of the attacks -- says it discovered the IE zero day while helping several victim companies in the wake of the attacks. Dmitri Alperovitch, vice president of threat research at McAfee, says the attack using the IE flaw was what allowed intruders to take over victims' machines and then access their company networks and resources. "All the user had to do was click on the link and the malware was automatically downloaded onto their machine, and it proceeded to update itself," Alperovitch says. "One of the modules was a remote-control capability that allowed them to take over the machine. From that point forward, they had access to the [victim's] network and could do reconnaissance and exfiltrate any data they encountered, and go after key resources."

Alperovitch says so far this exploit has been consistent as the initial exploitation method it has seen in the victim environments.

Experts and sources close to the investigations have said the Chinese attackers used infected PDF attachments, as well as Excel and other types of files, to lure the victims and infect them. And Microsoft's Reavey noted in his blog that IE was "one of several attack mechanisms" used in the attacks.

But Alperovitch says McAfee has seen no sign of any infected PDF files. "There has been no evidence of any Adobe PDFs or other exploitation vectors. But that's not to say there aren't any," he says, noting McAfee hasn't seen every victim's environment.

Meanwhile, Brad Arkin, director of product security and privacy for Adobe, blogged today that there's no evidence Adobe Reader or other Adobe tools were used as attack vectors against Adobe, which, along with Google, revealed this week it was among the companies that had been targeted by Chinese hackers.

"Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010," Arkin blogged about the attack on Adobe.

Meanwhile, McAfee's Alperovitch says the attacks were nothing like he had seen before in the commercial space. "We've seen [sophisticated] attacks in government like this, but this is the most sophisticated one I've seen in the commercial space," he says.

There were several layers of encryption surrounding the exploit and other malware, as well as obfuscation techniques to avert discovery. "There was a lot of effort put into this. It underscores the threat we're seeing in the government space, and they are coming to the commercial space" now, he says.

"Aurora is an eye-opener," he says.

IOActive's Kaminsky says the big news is not there were new bugs in IE or Acrobat: "Bugs in IE and Acrobat happen," he says. "The interesting thing is who's doing the attacking and what people are doing about it.

"People aren't surprised to see that there are potentially state-linked actors hacking into large companies. That's been going on for a while. But we are surprised to see that an accusation is actually being made about it and with heft behind it," he says. "There are consequences here in Google policy and action from the State Department, which is an unprecedented component."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.