07:20 PM
Connect Directly

Attackers Employed IE Zero-Day Against Google, Others

Microsoft issues workaround for the attack; McAfee christens the Chinese hacks 'Aurora'

Attackers used a zero-day vulnerability in Internet Explorer in their targeted attacks against Google and other companies' networks -- and Microsoft today responded with an advisory that helps mitigate attacks that exploit this previously unknown flaw.

Microsoft says the flaw in IE, which allows for remote code execution attacks on a victim's machine, was one of the attack vectors used in the wave of attacks, and, so far, it's only being used against IE 6 browsers. The attack occurs when a user visits a malicious or infected Website by clicking on a link within an email or instant message, and it also could be set to attack via banner ads, according to Microsoft.

The affected versions of the browser are IE 6 Service Pack 1 running on Microsoft Windows 2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update, and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band," blogged Mike Reavey, director of the Microsoft Security Response Center.

For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE, and setting Internet security zone security settings to "high" as ways to protect against this attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the browser. A patch could be in the works as well, according to Microsoft.

And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora. McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the internal name the attackers gave the operation -- it comes from the name they used for the directory in which their source code resided.

Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it could be written to work "reasonably" on IE 7 and IE 8 XP. The flaw itself is a so-called dangling pointer bug, which is typically stopped by the DEP feature in IE, he says. "However, there are known ways around DEP on XP," he says.

McAfee -- which says it was not one of the victims of the attacks -- says it discovered the IE zero day while helping several victim companies in the wake of the attacks. Dmitri Alperovitch, vice president of threat research at McAfee, says the attack using the IE flaw was what allowed intruders to take over victims' machines and then access their company networks and resources. "All the user had to do was click on the link and the malware was automatically downloaded onto their machine, and it proceeded to update itself," Alperovitch says. "One of the modules was a remote-control capability that allowed them to take over the machine. From that point forward, they had access to the [victim's] network and could do reconnaissance and exfiltrate any data they encountered, and go after key resources."

Alperovitch says so far this exploit has been consistent as the initial exploitation method it has seen in the victim environments.

Experts and sources close to the investigations have said the Chinese attackers used infected PDF attachments, as well as Excel and other types of files, to lure the victims and infect them. And Microsoft's Reavey noted in his blog that IE was "one of several attack mechanisms" used in the attacks.

But Alperovitch says McAfee has seen no sign of any infected PDF files. "There has been no evidence of any Adobe PDFs or other exploitation vectors. But that's not to say there aren't any," he says, noting McAfee hasn't seen every victim's environment.

Meanwhile, Brad Arkin, director of product security and privacy for Adobe, blogged today that there's no evidence Adobe Reader or other Adobe tools were used as attack vectors against Adobe, which, along with Google, revealed this week it was among the companies that had been targeted by Chinese hackers.

"Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010," Arkin blogged about the attack on Adobe.

Meanwhile, McAfee's Alperovitch says the attacks were nothing like he had seen before in the commercial space. "We've seen [sophisticated] attacks in government like this, but this is the most sophisticated one I've seen in the commercial space," he says.

There were several layers of encryption surrounding the exploit and other malware, as well as obfuscation techniques to avert discovery. "There was a lot of effort put into this. It underscores the threat we're seeing in the government space, and they are coming to the commercial space" now, he says.

"Aurora is an eye-opener," he says.

IOActive's Kaminsky says the big news is not there were new bugs in IE or Acrobat: "Bugs in IE and Acrobat happen," he says. "The interesting thing is who's doing the attacking and what people are doing about it.

"People aren't surprised to see that there are potentially state-linked actors hacking into large companies. That's been going on for a while. But we are surprised to see that an accusation is actually being made about it and with heft behind it," he says. "There are consequences here in Google policy and action from the State Department, which is an unprecedented component."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.