Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
IE flaw gave attackers entry, says McAfee
Published: 2010-01-14

A remotely exploitable flaw in Microsoft's Internet Explorer allowed attackers operating from Chinese servers to infiltrate at least one company, security firm McAfee stated in an advisory on Thursday.

The previously unreported vulnerability allows an attacker to compromise a victim's system just by loading a page from the Internet, the company said. The vulnerability is in all versions of Microsoft's Windows operating system, including Windows 7, it's most recent and secure OS, McAfee claims.

Previous reports claimed that attackers used a flaw in Adobe's Acrobat and Reader software to infiltrate targeted systems. McAfee's report underscores that some of the attacks used other vectors.

"While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios," said George Kurtz, chief technology officer of McAfee in a blog post. "So there very well may be other attack vectors that are not known to us at this time."

On Tuesday, Google announced that it is considering exiting the Chinese market after sophisticated online attacks targeted its systems to breach the Gmail accounts of pro-democracy activists. The attack -- first noticed in mid-December and considered "highly sophisticated and targeted" -- resulted in the "theft of intellectual property" and affected at least twenty other companies, and as many as 34, according to sources.

Microsoft released an advisory on Thursday, describing the issues as an invalid pointer reference that affects Internet Explorer 6, 7, and 8 on all versions of Windows. Running in protected mode on Windows Vista and later versions of Windows limits the vulnerability, Microsoft said.

The exploit, as written, would only work on Internet Explorer 6 and Windows XP, according to Dan Kaminsky, IOActive's director of penetration testing. Kaminsky, who had analyzed a "couple of samples," said that, while the exploit could be made to work on Internet Explorer 7 and 8 on Windows XP, getting it to work on Windows Vista and Windows 7 would be very difficult, because of those operating systems' defenses.

"The vulnerability is present on all versions of IE, but because ASLR (Address Space Layout Randomization) is in place on Windows 7 and Windows Vista, those are much harder to attack," Kaminsky said.

McAfee researchers found the name "aurora" in the file path of the software, so they have dubbed the attacks "Aurora." Confusingly, the name was also used in 2007 to describe a specific test showing the efficacy of cyber attacks on power infrastructure.

McAfee's Kurtz stated that the attacks demonstrate that companies have to worry about more than just data breaches and financial threats.

"The world has changed," Kurtz stated. "Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private non-financial customer information and anything else of intangible value."

UPDATE: The article was updated with a comment from IOActive's Dan Kaminsky and information provided by Microsoft in it's bulletin.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus