January 15, 2010

Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.

This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.

In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.

15 thoughts on “Exploit in the Wild for New Internet Explorer Flaw

  1. Reid

    On January 12, the New York Times reported that Secretary of State Hillary Clinton acknowledged that relations with China were entering a “rough period” as the US agreed to provide defensive arms to Taiwan and President Obama plans to meet with the Dalai Lama.

    It would appear that China is showing its displeasure by flexing a little muscle in the cyberwarfare arena. No doubt this is just the first salvo. Welcome to the 21st century.

  2. Steve

    “Chinese hacking groups”

    From what I read in recent reports in the popular press, it seems there is more confidence that the Google attack was instigated by the Chinese government.

    1. BrianKrebs Post author

      I don’t think it’s been conclusively determined that the Chinese government itself was involved, although that’s certainly been speculated. Attribution in these sorts of attacks is almost impossible.

      But, yes, the Chinese government has shown itself before willing to support or at least do nothing to discourage patriotic hacking on the part of nationalistic hacker groups. The government there has even been known to sponsor hacking competitions among these groups.

      One of them, which I mention indirectly in the About the Author page on this blog, is the Honker Union of China, a group whose members were thought to be responsible for the Lion worm, among other big attacks (some have pinned the Slammer worm on this group).

      1. yuk bon

        the google attacks were against dissidents, no? I can’t see how anyone other than the chinese government would bother with that.

      2. PJ

        Wasn’t there some speculation about Microsoft source code that was viewed by China?

  3. JohnJ

    Speaking of alternative browser security, I find it strange that FireFox doesn’t support Vista/Win7 Protected Mode.

    Since Google was compromised, does that that mean that they were running the ancient IE6?

  4. M Henri Day

    George Kurtz’s «McAfee Security Blog» has the following to say on the matter :

    «Our investigation has shown that Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7. Still, so far the attacks we’ve seen using this vector have been focused on Internet Explorer 6. Microsoft has been working with us on this matter and we thank them for their collaboration.»

    The above isn’t what one would call pellucid, but I interpret it to mean that *all* versions of IE, including IE8 which is installed by default on Windows 7, are affected. Google China may well have been testing websites and services on IE6, as, according to StatCounter’s statistics (http://preview.tinyurl.com/y933y5o ), as many as 60 % of Chinese users are still running this ancient, and very unsafe browser (in a country where the domination of IE is total – perhaps the Chinese would do well to test other browsers ?). But I find it hard to believe that Google employees, as aware as they must be of security concerns, would have been using the browser for anything other than the purposes described above. And Google’s servers run Linux OS, so I find it difficult to imagine that IE, and in particular, IE6 could have been used as an attack vector to access privileged data, which presumably would not be available on computers used for testing how websites render. There are a fair number of factors in reports being promoted on the web that, to me at least, don’t seem to add up….


    1. Rick

      Servers, yes. But the individual boxes which might be directly accessible or through a targeted mail attack…

  5. Rick

    Or Safari for OS X even. Then you’re really secure! Or Chrome or FF for Linux or OS X or Camino for OS X. There are so many good alternatives!

  6. Steve

    This is something I just saw on a telecom e-mail list I subscribe to . . .


    Official German warning regarding use of Internet Explorer

    http://bit.ly/8AYPpE (Federal Office for Information Security – Bonn, Germany)

    http://bit.ly/8VkQsA (Google translation into English)

  7. lembark

    I’m noticing a pattern: In the last year a significant number of your articles note security holes in all available version of IE. The usual fix is to not use IE version-X (or altogether) “until” MS fixes the problem.

    Catch: There is always a new “problem” soon after.

    Perhaps the real problem is that IE is fundamentally insecure because of its design criteria: MS simply considers cute features more important than security.

    This offers an alternative fix for you to suggest: There are enough alternatives available on the market today — many of them free — that the only reasonable fix is to replace IE permanently.

Comments are closed.