Attackers Employed IE Zero-Day Against Google, Others

Microsoft issues workaround for the attack; McAfee christens the Chinese hacks 'Aurora'

Attackers used a zero-day vulnerability in Internet Explorer in their targeted attacks against Google and other companies' networks -- and Microsoft today responded with an advisory that helps mitigate attacks that exploit this previously unknown flaw.

Microsoft says the flaw in IE, which allows for remote code execution attacks on a victim's machine, was one of the attack vectors used in the wave of attacks, and, so far, it's only being used against IE 6 browsers. The attack occurs when a user visits a malicious or infected Website by clicking on a link within an email or instant message, and it also could be set to attack via banner ads, according to Microsoft.

The affected versions of the browser are IE 6 Service Pack 1 running on Microsoft Windows 2000 Service Pack 4, and IE 6, IE 7 and IE 8 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

"Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6 at this time. Our teams are currently working to develop an update, and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out of band," blogged Mike Reavey, director of the Microsoft Security Response Center.

For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE, and setting Internet security zone security settings to "high" as ways to protect against this attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the browser. A patch could be in the works as well, according to Microsoft.

And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora. McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the internal name the attackers gave the operation -- it comes from the name they used for the directory in which their source code resided.

Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it could be written to work "reasonably" on IE 7 and IE 8 XP. The flaw itself is a so-called dangling pointer bug, which is typically stopped by the DEP feature in IE, he says. "However, there are known ways around DEP on XP," he says.

McAfee -- which says it was not one of the victims of the attacks -- says it discovered the IE zero day while helping several victim companies in the wake of the attacks. Dmitri Alperovitch, vice president of threat research at McAfee, says the attack using the IE flaw was what allowed intruders to take over victims' machines and then access their company networks and resources. "All the user had to do was click on the link and the malware was automatically downloaded onto their machine, and it proceeded to update itself," Alperovitch says. "One of the modules was a remote-control capability that allowed them to take over the machine. From that point forward, they had access to the [victim's] network and could do reconnaissance and exfiltrate any data they encountered, and go after key resources."

Alperovitch says so far this exploit has been consistent as the initial exploitation method it has seen in the victim environments.

Experts and sources close to the investigations have said the Chinese attackers used infected PDF attachments, as well as Excel and other types of files, to lure the victims and infect them. And Microsoft's Reavey noted in his blog that IE was "one of several attack mechanisms" used in the attacks.

But Alperovitch says McAfee has seen no sign of any infected PDF files. "There has been no evidence of any Adobe PDFs or other exploitation vectors. But that's not to say there aren't any," he says, noting McAfee hasn't seen every victim's environment.

Meanwhile, Brad Arkin, director of product security and privacy for Adobe, blogged today that there's no evidence Adobe Reader or other Adobe tools were used as attack vectors against Adobe, which, along with Google, revealed this week it was among the companies that had been targeted by Chinese hackers.

"Similar to the McAfee researchers, we have not been able to obtain any evidence to indicate that Adobe Reader or other Adobe technologies were used as the attack vector in this incident. As far as we are aware there are no publicly known vulnerabilities in the latest versions (9.3 and 8.2) of Adobe Reader and Acrobat that we shipped on January 12, 2010," Arkin blogged about the attack on Adobe.

Meanwhile, McAfee's Alperovitch says the attacks were nothing like he had seen before in the commercial space. "We've seen [sophisticated] attacks in government like this, but this is the most sophisticated one I've seen in the commercial space," he says.

There were several layers of encryption surrounding the exploit and other malware, as well as obfuscation techniques to avert discovery. "There was a lot of effort put into this. It underscores the threat we're seeing in the government space, and they are coming to the commercial space" now, he says.

"Aurora is an eye-opener," he says.

IOActive's Kaminsky says the big news is not there were new bugs in IE or Acrobat: "Bugs in IE and Acrobat happen," he says. "The interesting thing is who's doing the attacking and what people are doing about it.

"People aren't surprised to see that there are potentially state-linked actors hacking into large companies. That's been going on for a while. But we are surprised to see that an accusation is actually being made about it and with heft behind it," he says. "There are consequences here in Google policy and action from the State Department, which is an unprecedented component."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights