Microsoft says Google was hacked with IE zero-day
Summary: According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement.
Hackers linked to China used a zero-day vulnerability in Microsoft's Internet Explorer browser to compromise corporate systems at more than 30 U.S. companies, including Google, Adobe and Juniper Networks.
According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement.
Microsoft's confirmation, in the form of a security advisory, follows public statements from Google and Adobe that their corporate networks were breached by coordinated, sophisticated attackers based in China.
[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]
Google said the attacks were very targeted and resulted in the theft of intellectual property. Adobe confirmed its network was also breached in the same attacks but did not provide any details on what was stolen.
In a statement, Juniper Network said it was investigating "a cyber security incident involving a sophisticated and targeted attack against a number of companies."
According to public chatter, the attackers originated in Taiwan and included a hijacked Internet addressed owned by Rackspace. The hosting firm has confirmed that its systems "played a very small part" in the attacks.
Details on the cyber-attacks are beginning to trickle out. According to Dan Kaminsky, a security researcher who was briefed on the IE vulnerability used in one of the attacks, the exploit was targeted at a Windows XP machine running Internet Explorer 6.
This was confirmed by a Mike Reavey, a director in the Microsoft Security Response Center. "To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6," Reavey said.
Here's the skinny from Microsoft's advisory:
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
The flaw affects Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
Here's the danger:
To exploit, an attacker could host a specially crafted Web site, or take advantage of a compromised website, and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these malicious Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message, that directs users to the attacker's Web site. It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems. The Microsoft investigation concluded that setting the Internet zone security setting to “high” will protect users from the vulnerability addressed in this advisory.
Microsoft is considering an out-of-band emergency IE patch to fix this vulnerability.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Um, question
XP and IE6
What are the internal IT security policnes in the company that wants us to feel secure using its software and services in general and secure in its cloud, storing our data, in particular?
Exactly my point
Seems hypocritical on their part - make your own browser and not even use it.
What a BS response.
that was making web based apps, content, and
the likes, you would use all kinds of browsers,
not just your own.
When I develop a webpage, or web content, I
test to see how it will be rendered in the
major 4 browsers, not just my favorite one to
use. If your consumer base uses IE or FF predominately, you are going to make sure your
stuff works, on the widely used browsers.
Can you not afford a test machine or use a VM?
It's usually safer to test in a VM.
expect that as long as they apply all of the
updates for a browser as soon as they come out,
that they aren't going to get hacked. Sadly this
isn't the case with IE.
What does a VM provide for safety though?
When you're talking about isolating applications in total virtual operating system environments, if a piece of malware is well-written, it could easily spread over open network connections between the guest and host OS. A virtual machine has certain benefits in regards to restoring previous versions by having a management OS running below it, but OS's have a lot of backtrack and restoration functionality in them anyway. If you have a VM that gets infected badly, you still have to rebuild or restore that VM. That's not much less work than having to reimage an OS on hardware. If your backups are in order, it could take about 5 minutes to restore a backup on hardware. It'd take at least as much time to copy a VHD back for a VM or use an Undo disk.
It offers..
regardless of any bugs in the specific
implementation of the specific version of the
specific browser on the specific OS.
If you're in the business of making websites and web apps
That's what Virtual Box is for [NT]
I guess because..
browsers/OSs they feel like? Kind of like how some
prominent members of the IE team use Firefox?
....or how web developers will use multiple versions?
Yes
As quoted in the article
editions of Windows XP, Windows Server 2003,
Windows Vista, Windows Server 2008, <b>Windows
7,</b> and Windows Server 2008 R2 are
affected.</i>
I added the bolding, but I've seen at least 3
responders today insist that this has to ahve
been a result of Google using IE6 with XP.
What I just quoted came from Microsoft. The
idea the using IE 8 and Windows 7 would have
avoided the problem is just as idiotic as those
of my fellow Mac users who insist that the Mac
is immune to malware.
Unless you were working for Google in China,
you don't know what version of IE or Windows
was in use. Why is it so important to blame
this on old software? The truly important
thing is knowledge that a threat exists.
Difference between XP and Win7
Now, there is a big difference between XP and Win7 (or Vista).
First, in Win7 there is no excuse for an ordinary user to run under an administrative account. This should have prevented the exploit from gaining system-wide access.
Second, IE protected mode should have prevented the malicious code from accessing most of the user files and registry settings.
Thus, the impact of this vulnerabilty on system other than XP could have been smaller.
Yes, other browsers are not susceptible to specifically this vulnerability, but were it an undiscovered flaw in FireFox, the result could have been the same on XP: full system access.
Again, there would be less impact if they were using FireFox in Vista or Windows 7: no system access. If FireFox had protected mode or at least had been configured to run at the low integity level, ther would be no access to most of the user files and registry settings.
Of course if they run Linux, that would have been a whole different story, but they didn't.
So my question, based on what Microsoft spokesman said, was: why Google allowed machines with the widely known least secure combination of OS and browser access to sensitive data?
Hmm..
spokesman said it was IE6, so allegedly it must
have been XP, since Vista and Win7 do not ship
with IE6.[/i]
IE6 can't be installed on Windows 7?
[i]Now, there is a big difference between XP and
Win7 (or Vista).
First, in Win7 there is no excuse for an
ordinary user to run under an administrative
account. This should have prevented the exploit
from gaining system-wide access.[/i]
In Windows 7, you get logged in an admin account
by default, not a restricted account. Yet not
too long ago the MS fanboys were harping on
Google for not having HTTPS by default. Can't
have it both ways. Which is it; do defaults
matter, or don't they?
[i]Second, IE protected mode should have
prevented the malicious code from accessing most
of the user files and registry settings.[/i]
You assert it was IE6, and then you also assert
IE protected mode should have prevented the
attack.. so you are asserting that IE6 has
protected mode? And also that the attack must
have accessed registry settings or user files
that the browser can't have access too (i.e.
that nothing important could be accessed by the
browser)? So whatever it was was stored and
worked on offline?
How do you know all this?
[i]Thus, the impact of this vulnerabilty on
system other than XP could have been
smaller.[/i]
Maybe, maybe not.
[i]Yes, other browsers are not susceptible to
specifically this vulnerability, but were it an
undiscovered flaw in FireFox, the result could
have been the same on XP: full system
access.[/i]
Other browsers tend to fix their critical
vulnerabilities [b]before[/b] widespread pwning
of systems occurs.
[i]Again, there would be less impact if they
were using FireFox in Vista or Windows 7: no
system access. If FireFox had protected mode or
at least had been configured to run at the low
integity level, ther would be no access to most
of the user files and registry settings.[/i]
Except that with Firefox (or almost any other
browser, except IE) the vulnerability is much
more likely to be fixed [b]before[/b] you get
bit by it.
[i]Of course if they run Linux, that would have
been a whole different story, but they didn't.
[/i]
Yet if Google required all their employees to
use Linux, you'd hold that against them,
wouldn't you?
[i]So my question, based on what Microsoft
spokesman said, was: why Google allowed machines
with the widely known least secure combination
of OS and browser access to sensitive data?[/i]
I'm glad that Microsoft agree with me that
Google would have been more secure had they used
Google's products instead of Microsoft's
products. It feels good to be in agreement with
them for once. Disagreement gets old.
In response
Nope. Not in Windows 7. In XP Mode, sure, but that's Windows 7. I can load IE 4 on "Windows Vista" if I use Virtual PC and Windows 98, but it's still not IE5 on Windows Vista. There is a difference.
"You assert it was IE6, and then you also assert IE protected mode should have prevented the attack.. so you are asserting that IE6 has
protected mode?"
You're using the "a banana is a fruit, and an apple is a fruit, so a banana is an apple" defense. Learn English.
"Except that with Firefox (or almost any other
browser, except IE) the vulnerability is much
more likely to be fixed before you get
bit by it."
It's semantics. Firefox has holes (and many more of them) with more days of insecurity than IE. The fact that malware writers don't take advantage of it won't make a big difference when you get stung. It's the same with Apple. They have a target on their back, but coders aren't aiming at it.
In response to response
Nope. Not in Windows 7. In XP Mode, sure, but
that's Windows 7. I can load IE 4 on "Windows
Vista" if I use Virtual PC and Windows 98, but
it's still not IE5 on Windows Vista. There is a
difference.
[/i]
Hmm. That's weird. Did Microsoft use
undocumented APIs for IE5/IE6? If not, there is
no excuse for them to run fine on Windows 2000
but not on Windows Vista and Windows 7.
[i]"You assert it was IE6, and then you also
assert IE protected mode should have prevented
the attack.. so you are asserting that IE6 has
protected mode?"
You're using the "a banana is a fruit, and an
apple is a fruit, so a banana is an apple"
defense. Learn English.[/i]
No, I'm using the "you say it's IE6, but you
also say protected mode should have prevented
the attack, so are you saying IE6 is protected
by protected mode?" question. Just to clarify,
it is a question, and that is why I put a
question mark on the end of it, instead of a
full stop like I would if it was a statement.
This is because I do not agree with it, and want
you to explain why I should. Learn basic
punctuation that is common to English as well as
many other languages.
[i]"Except that with Firefox (or almost any
other
browser, except IE) the vulnerability is much
more likely to be fixed before you get
bit by it."
It's semantics. Firefox has holes (and many more
of them) with more days of insecurity than IE.
The fact that malware writers don't take
advantage of it won't make a big difference when
you get stung. It's the same with Apple. They
have a target on their back, but coders aren't
aiming at it.[/i]
If you think the difference between leaving in a
vulnerability after it has become known by the
public and had working exploit code for it
posted to public websites and fixing a
vulnerable before it is even known outside of
the development team, or immediately after it is
known to the public, is only semantic, good for
you. We'll just have to agree to disagree on
this.
The majority of Win 7 users I know
windows user to me. They believe they can run as administrator because
they believe they are a Power User. <--- Big joke huh?
Firefox had more security holes in 2009 than IE though
IE on Vista and 7 has Protected Mode, and that seriously limits the ability of malware from taking total control of the machine. That is, unless a user is tricked into doing something, but you can easily do that on any system and that argument has little merit either way. If you count the ability to trick the user into doing anything, then you might as well forget about any kind of security updates whatsoever. Antimalware warnings should be considered your last line of defense against the user allowing something bad to run.
The point is, Protected Mode won't allow malicious software to instantly take control of the system *automatically*. Possibly only the current browser session, but that's about it. Chrome is supposed to have that ability, but we'll see how well it fares. Google certainly doesn't seem to be the company that cares too much about security.