News

Zero-Day IE Bug Exploited for Google Attack

• By Jabulani Leffall
• January 15, 2010

Microsoft continues to investigate the first zero-day exploit of 2010 surrounding Internet Explorer.

The company issued a security advisory encompassing various IE versions on Thursday. According to the advisory, IE has a vulnerability that can enable remote code execution attacks. The flaw stems from an "invalid pointer reference" in the Web browser.

Most versions of IE have the vulnerability. IE 6 Service Pack 1 on Microsoft Windows 2000 SP4 has the bug. Moreover, the flaw exists in IE 6, IE 7 and IE 8 on supported editions of Windows XP, Vista and Windows 7, plus Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2.

Antivirus software company McAfee claimed discovery of the bug earlier in the week. McAfee described the hacking operation as "operation aurora," claiming that hackers were attempting to use the IE vulnerability and social engineering techniques to steal intellectual property from Google and other companies.

Google disclosed that it was attacked on Tuesday. On Thursday, Microsoft's security team confirmed that the hackers had used the flaw in IE to try to steal information from Google and other companies.

"Based on our investigations into these attacks, as well as the investigations of others, we recently became aware that a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies," wrote Mike Reavey, Microsoft's director of security response, in a blog post.

The name "aurora" was apparently the file-path handle hackers used for their invalid pointer reference attack, according to McAfee's blog. The attack appears to require the diversion of a user to a malicious Web page, perhaps through an e-mail link. It can be triggered via a Web page's banner ad or hypertext link, according to McAfee. The idea is for users to download and run executable malware that may help attackers access a network.

"It's hard to imagine a cyber breach with bigger ramifications than this one unless it involved some infrastructure capacity," said Andrew Storms, director of security at nCircle. "The scope and the targeting of this breach should grab not just the IT manager's attention but every CEO's attention."

Microsoft said in its advisory that it was aware of limited but "active attacks attempting to use this vulnerability against Internet Explorer 6." Attacks against other IE versions have not been seen so far, according to Microsoft. Nevertheless, the company plans to "continue to monitor the threat environment and update this advisory if this situation changes."

More such attacks may be seen throughout this year.

"I think we're going to see these types of attacks again and again in 2010, and since this has potential ties to the well-publicized attacks reported earlier in the week to Google, it's imperative that businesses take quick action to protect themselves," said Michael Sutton, vice president of security research at Zscaler.

Microsoft suggested that configuring IE's Internet zone security setting to "high" will protect users from the vulnerability mentioned in this latest advisory. Adjusting the zone setting in IE will serve as a workaround until Microsoft comes up with another monthly patch or specific hotfix.