The recent targeted cyber attacks against Google, Adobe and other major companies were fueled in part by a previously unknown — and currently unpatched — security flaw in Microsoft‘s Internet Explorer Web browser, anti-virus vendor McAfee said today.
McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.
George Kurtz, McAfee’s chief technology officer, said the IE vulnerability was just one of several previously unknown software flaws that were leveraged in the targeted attacks, which security experts at iDefense have said affected at least 33 different companies.
“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios,” Kurtz wrote in a posting to the company’s Security Insights Blog. “So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.”
Several sources, including McAfee, now say Microsoft plans to release more information later today about the vulnerability. A spokeswoman for Microsoft would not confirm that claim, saying only that “Microsoft is investigating these reports and will provide more information when it is available.”
UPDATE, 5:25 p.m: Microsoft has issued an advisory confirming the existence of a previously unknown vulnerability in all supported versions of IE on pretty much every supported version of Windows. The MS advisory is here.
In related news, names of additional victims of this targeted attack, which appears to have targeted trade secrets and source code, are starting to trickle out. The Washington Post is reporting that list includes Yahoo, Symantec, Northrop Grumman and Dow Chemical. A source told me that router maker Juniper Systems Inc. also may have been victimized, although I am still trying to confirm that claim.
Update, 10:34 p.m: Juniper issued the following statement about claims that it, too, was one of the nearly three dozen companies hit by targeted attacks: ” Juniper Networks recently became aware, and is currently investigating, a cyber security incident involving a sophisticated and targeted attack against a number of companies. As with any investigation of this nature, Juniper does not disclose details.”
Since I use Vista and IE8, I found this Microsoft tibit to be interesting:
“In addition, Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user’s machine. Customers should also enable Data Execution Prevention (DEP) which helps mitigate online attacks. DEP is enabled by default in IE 8 but must be manually enabled in prior versions.”
The attack code has been made public by a University of California Santa Barbara computer lab (http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js ). Consequently, the developers of Metasploit have released an exploit after only one day of the publication of the code that will allow people to test their systems ( http://blog.metasploit.com/2010/01/reproducing-aurora-ie-exploit.html ) for this vulnerability. It is likely that Core Technology and Immunity Labs have similar updates to their exploit frameworks. Hope this helps.