Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:20 PM
Connect Directly

Attackers Employed IE Zero-Day Against Google, Others

Microsoft issues workaround for the attack; McAfee christens the Chinese hacks 'Aurora'

Attackers used a zero-day vulnerability in Internet Explorer in their targeted attacks against Google and other companies' networks -- and Microsoft today responded with an advisory that helps mitigate attacks that exploit this previously unknown flaw.

Microsoft says the flaw in IE, which allows for remote code execution attacks on a victim's machine, was one of the attack vectors used in the wave of attacks, and, so far, it's only being used against IE 6 browsers. The attack occurs when a user visits a malicious or infected Website by clicking on a link within an email or instant message, and it also could be set to attack via banner ads, according to Microsoft.

The affected versions of the browser are IE 6 Service Pack 1 running on Microsoft Windows 2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update, and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band," blogged Mike Reavey, director of the Microsoft Security Response Center.

For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE, and setting Internet security zone security settings to "high" as ways to protect against this attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the browser. A patch could be in the works as well, according to Microsoft.

And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora. McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the internal name the attackers gave the operation -- it comes from the name they used for the directory in which their source code resided.

Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it could be written to work "reasonably" on IE 7 and IE 8 XP. The flaw itself is a so-called dangling pointer bug, which is typically stopped by the DEP feature in IE, he says. "However, there are known ways around DEP on XP," he says.

McAfee -- which says it was not one of the victims of the attacks -- says it discovered the IE zero day while helping several victim companies in the wake of the attacks. Dmitri Alperovitch, vice president of threat research at McAfee, says the attack using the IE flaw was what allowed intruders to take over victims' machines and then access their company networks and resources. "All the user had to do was click on the link and the malware was automatically downloaded onto their machine, and it proceeded to update itself," Alperovitch says. "One of the modules was a remote-control capability that allowed them to take over the machine. From that point forward, they had access to the [victim's] network and could do reconnaissance and exfiltrate any data they encountered, and go after key resources."

Alperovitch says so far this exploit has been consistent as the initial exploitation method it has seen in the victim environments.

Experts and sources close to the investigations have said the Chinese attackers used infected PDF attachments, as well as Excel and other types of files, to lure the victims and infect them. And Microsoft's Reavey noted in his blog that IE was "one of several attack mechanisms" used in the attacks.

But Alperovitch says McAfee has seen no sign of any infected PDF files. "There has been no evidence of any Adobe PDFs or other exploitation vectors. But that's not to say there aren't any," he says, noting McAfee hasn't seen every victim's environment.

Meanwhile, Brad Arkin, director of product security and privacy for Adobe, blogged today that there's no evidence Adobe Reader or other Adobe tools were used as attack vectors against Adobe, which, along with Google, revealed this week it was among the companies that had been targeted by Chinese hackers.

"Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010," Arkin blogged about the attack on Adobe.

Meanwhile, McAfee's Alperovitch says the attacks were nothing like he had seen before in the commercial space. "We've seen [sophisticated] attacks in government like this, but this is the most sophisticated one I've seen in the commercial space," he says.

There were several layers of encryption surrounding the exploit and other malware, as well as obfuscation techniques to avert discovery. "There was a lot of effort put into this. It underscores the threat we're seeing in the government space, and they are coming to the commercial space" now, he says.

"Aurora is an eye-opener," he says.

IOActive's Kaminsky says the big news is not there were new bugs in IE or Acrobat: "Bugs in IE and Acrobat happen," he says. "The interesting thing is who's doing the attacking and what people are doing about it.

"People aren't surprised to see that there are potentially state-linked actors hacking into large companies. That's been going on for a while. But we are surprised to see that an accusation is actually being made about it and with heft behind it," he says. "There are consequences here in Google policy and action from the State Department, which is an unprecedented component."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...