Microsoft says Google was hacked with IE zero-day

Microsoft says Google was hacked with IE zero-day

Summary: According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement.

SHARE:

Hackers linked to China used a zero-day vulnerability in Microsoft's Internet Explorer browser to compromise corporate systems at more than 30 U.S. companies, including Google, Adobe and Juniper Networks.

According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement.

Microsoft's confirmation, in the form of a security advisory, follows public statements from Google and Adobe that their corporate networks were breached by coordinated, sophisticated attackers based in China.

[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]

Google said the attacks were very targeted and resulted in the theft of intellectual property.  Adobe confirmed its network was also breached in the same attacks but did not provide any details on what was stolen.

In a statement, Juniper Network said it was investigating "a cyber security incident involving a sophisticated and targeted attack against a number of companies."

According to public chatter, the attackers originated in Taiwan and included a hijacked Internet addressed owned by Rackspace. The hosting firm has confirmed that its systems "played a very small part" in the attacks.

Details on the cyber-attacks are beginning to trickle out.   According to Dan Kaminsky, a security researcher who was briefed on the IE vulnerability used in one of the attacks, the exploit was targeted at a Windows XP machine running Internet Explorer 6.

This was confirmed by a Mike Reavey, a director in the Microsoft Security Response Center.  "To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6," Reavey said.

Here's the skinny from Microsoft's advisory:

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

The flaw affects Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

Here's the danger:

To exploit, an attacker could host a specially crafted Web site, or take advantage of a compromised website, and then convince a user to view the Web site. In all cases, however, an attacker would have no way to force users to visit these malicious Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message, that directs users to the attacker's Web site. It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems. The Microsoft investigation concluded that setting the Internet zone security setting to “high” will protect users from the vulnerability addressed in this advisory.

Microsoft is considering an out-of-band emergency IE patch to fix this vulnerability.

Topics: Windows, Browser, Google, Microsoft, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

179 comments
Log in or register to join the discussion
  • Um, question

    Why is Google using IE?
    Joe_Raby
    • XP and IE6

      More precisely, why it was XP and IE6? Why not test Chrome? Why use XP where majority of the work can be done only from an administrative account [i]and[/i] there is no protected mode for IE?

      What are the internal IT security policnes in the company that wants us to feel secure using its software and services in general and secure in its cloud, storing our data, in particular?
      Earthling2
      • Exactly my point

        Why was Google using anything other that Chrome and/or Chrome OS?

        Seems hypocritical on their part - make your own browser and not even use it.
        Joe_Raby
        • What a BS response.

          If your in the business of running a company
          that was making web based apps, content, and
          the likes, you would use all kinds of browsers,
          not just your own.

          When I develop a webpage, or web content, I
          test to see how it will be rendered in the
          major 4 browsers, not just my favorite one to
          use. If your consumer base uses IE or FF predominately, you are going to make sure your
          stuff works, on the widely used browsers.
          Snooki_smoosh_smoosh
          • Can you not afford a test machine or use a VM?

            There is a difference between testing your software and allowing IE6 on XP to access company's sensitive data.
            Earthling2
          • It's usually safer to test in a VM.

            Not everyone knows how to though. Most people just
            expect that as long as they apply all of the
            updates for a browser as soon as they come out,
            that they aren't going to get hacked. Sadly this
            isn't the case with IE.
            AzuMao
          • What does a VM provide for safety though?

            It's called "sandboxing", and IE in Protected Mode already provides that.

            When you're talking about isolating applications in total virtual operating system environments, if a piece of malware is well-written, it could easily spread over open network connections between the guest and host OS. A virtual machine has certain benefits in regards to restoring previous versions by having a management OS running below it, but OS's have a lot of backtrack and restoration functionality in them anyway. If you have a VM that gets infected badly, you still have to rebuild or restore that VM. That's not much less work than having to reimage an OS on hardware. If your backups are in order, it could take about 5 minutes to restore a backup on hardware. It'd take at least as much time to copy a VHD back for a VM or use an Undo disk.
            Joe_Raby
          • It offers..

            .. consistent hardware-level virtualization,
            regardless of any bugs in the specific
            implementation of the specific version of the
            specific browser on the specific OS.
            AzuMao
          • If you're in the business of making websites and web apps

            You should know better about web browser security, and the ramifications of doing day-to-day browsing (and clicking on unknown links) on a less secure browser than is current. If you're a real business, your IT environment should be locked down too, and if you need legacy applications for compatibility, security risks need to be mitigated by alternative measures, not just ignored altogether.
            Joe_Raby
          • That's what Virtual Box is for [NT]

            [NT]
            tripolitan
        • I guess because..

          ..they let their employees use whatever
          browsers/OSs they feel like? Kind of like how some
          prominent members of the IE team use Firefox?
          AzuMao
          • ....or how web developers will use multiple versions?

            The W3C doesn't dictate how a web browser produces every single tag or CSS function, so obviously a dev team designing a web browser will want to compare the presentation of websites between their browser and the competition.
            Joe_Raby
          • Yes

            [b] [/b]
            AzuMao
      • As quoted in the article

        <i><b>and Internet Explorer 8</b> on supported
        editions of Windows XP, Windows Server 2003,
        Windows Vista, Windows Server 2008, <b>Windows
        7,</b> and Windows Server 2008 R2 are
        affected.</i>

        I added the bolding, but I've seen at least 3
        responders today insist that this has to ahve
        been a result of Google using IE6 with XP.
        What I just quoted came from Microsoft. The
        idea the using IE 8 and Windows 7 would have
        avoided the problem is just as idiotic as those
        of my fellow Mac users who insist that the Mac
        is immune to malware.

        Unless you were working for Google in China,
        you don't know what version of IE or Windows
        was in use. Why is it so important to blame
        this on old software? The truly important
        thing is knowledge that a threat exists.
        use_what_works_4_U
        • Difference between XP and Win7

          All we know so far is that Microsoft spokesman said it was IE6, so allegedly it must have been XP, since Vista and Win7 do not ship with IE6.

          Now, there is a big difference between XP and Win7 (or Vista).

          First, in Win7 there is no excuse for an ordinary user to run under an administrative account. This should have prevented the exploit from gaining system-wide access.

          Second, IE protected mode should have prevented the malicious code from accessing most of the user files and registry settings.

          Thus, the impact of this vulnerabilty on system other than XP could have been smaller.

          Yes, other browsers are not susceptible to specifically this vulnerability, but were it an undiscovered flaw in FireFox, the result could have been the same on XP: full system access.

          Again, there would be less impact if they were using FireFox in Vista or Windows 7: no system access. If FireFox had protected mode or at least had been configured to run at the low integity level, ther would be no access to most of the user files and registry settings.

          Of course if they run Linux, that would have been a whole different story, but they didn't.

          So my question, based on what Microsoft spokesman said, was: why Google allowed machines with the widely known least secure combination of OS and browser access to sensitive data?
          Earthling2
          • Hmm..

            [i]All we know so far is that Microsoft
            spokesman said it was IE6, so allegedly it must
            have been XP, since Vista and Win7 do not ship
            with IE6.[/i]

            IE6 can't be installed on Windows 7?

            [i]Now, there is a big difference between XP and
            Win7 (or Vista).

            First, in Win7 there is no excuse for an
            ordinary user to run under an administrative
            account. This should have prevented the exploit
            from gaining system-wide access.[/i]

            In Windows 7, you get logged in an admin account
            by default, not a restricted account. Yet not
            too long ago the MS fanboys were harping on
            Google for not having HTTPS by default. Can't
            have it both ways. Which is it; do defaults
            matter, or don't they?

            [i]Second, IE protected mode should have
            prevented the malicious code from accessing most
            of the user files and registry settings.[/i]

            You assert it was IE6, and then you also assert
            IE protected mode should have prevented the
            attack.. so you are asserting that IE6 has
            protected mode? And also that the attack must
            have accessed registry settings or user files
            that the browser can't have access too (i.e.
            that nothing important could be accessed by the
            browser)? So whatever it was was stored and
            worked on offline?
            How do you know all this?

            [i]Thus, the impact of this vulnerabilty on
            system other than XP could have been
            smaller.[/i]

            Maybe, maybe not.

            [i]Yes, other browsers are not susceptible to
            specifically this vulnerability, but were it an
            undiscovered flaw in FireFox, the result could
            have been the same on XP: full system
            access.[/i]

            Other browsers tend to fix their critical
            vulnerabilities [b]before[/b] widespread pwning
            of systems occurs.

            [i]Again, there would be less impact if they
            were using FireFox in Vista or Windows 7: no
            system access. If FireFox had protected mode or
            at least had been configured to run at the low
            integity level, ther would be no access to most
            of the user files and registry settings.[/i]

            Except that with Firefox (or almost any other
            browser, except IE) the vulnerability is much
            more likely to be fixed [b]before[/b] you get
            bit by it.

            [i]Of course if they run Linux, that would have
            been a whole different story, but they didn't.
            [/i]

            Yet if Google required all their employees to
            use Linux, you'd hold that against them,
            wouldn't you?

            [i]So my question, based on what Microsoft
            spokesman said, was: why Google allowed machines
            with the widely known least secure combination
            of OS and browser access to sensitive data?[/i]

            I'm glad that Microsoft agree with me that
            Google would have been more secure had they used
            Google's products instead of Microsoft's
            products. It feels good to be in agreement with
            them for once. Disagreement gets old.
            AzuMao
          • In response

            "IE6 can't be installed on Windows 7?"

            Nope. Not in Windows 7. In XP Mode, sure, but that's Windows 7. I can load IE 4 on "Windows Vista" if I use Virtual PC and Windows 98, but it's still not IE5 on Windows Vista. There is a difference.

            "You assert it was IE6, and then you also assert IE protected mode should have prevented the attack.. so you are asserting that IE6 has
            protected mode?"

            You're using the "a banana is a fruit, and an apple is a fruit, so a banana is an apple" defense. Learn English.

            "Except that with Firefox (or almost any other
            browser, except IE) the vulnerability is much
            more likely to be fixed before you get
            bit by it."

            It's semantics. Firefox has holes (and many more of them) with more days of insecurity than IE. The fact that malware writers don't take advantage of it won't make a big difference when you get stung. It's the same with Apple. They have a target on their back, but coders aren't aiming at it.
            Joe_Raby
          • In response to response

            [i]"IE6 can't be installed on Windows 7?"

            Nope. Not in Windows 7. In XP Mode, sure, but
            that's Windows 7. I can load IE 4 on "Windows
            Vista" if I use Virtual PC and Windows 98, but
            it's still not IE5 on Windows Vista. There is a
            difference.
            [/i]

            Hmm. That's weird. Did Microsoft use
            undocumented APIs for IE5/IE6? If not, there is
            no excuse for them to run fine on Windows 2000
            but not on Windows Vista and Windows 7.

            [i]"You assert it was IE6, and then you also
            assert IE protected mode should have prevented
            the attack.. so you are asserting that IE6 has
            protected mode?"

            You're using the "a banana is a fruit, and an
            apple is a fruit, so a banana is an apple"
            defense. Learn English.[/i]

            No, I'm using the "you say it's IE6, but you
            also say protected mode should have prevented
            the attack, so are you saying IE6 is protected
            by protected mode?" question. Just to clarify,
            it is a question, and that is why I put a
            question mark on the end of it, instead of a
            full stop like I would if it was a statement.
            This is because I do not agree with it, and want
            you to explain why I should. Learn basic
            punctuation that is common to English as well as
            many other languages.

            [i]"Except that with Firefox (or almost any
            other
            browser, except IE) the vulnerability is much
            more likely to be fixed before you get
            bit by it."

            It's semantics. Firefox has holes (and many more
            of them) with more days of insecurity than IE.
            The fact that malware writers don't take
            advantage of it won't make a big difference when
            you get stung. It's the same with Apple. They
            have a target on their back, but coders aren't
            aiming at it.[/i]

            If you think the difference between leaving in a
            vulnerability after it has become known by the
            public and had working exploit code for it
            posted to public websites and fixing a
            vulnerable before it is even known outside of
            the development team, or immediately after it is
            known to the public, is only semantic, good for
            you. We'll just have to agree to disagree on
            this.
            AzuMao
          • The majority of Win 7 users I know

            run their machine with full administrative rights. That sure sounds like a
            windows user to me. They believe they can run as administrator because
            they believe they are a Power User. <--- Big joke huh?
            Intellihence
          • Firefox had more security holes in 2009 than IE though

            and Firefox doesn't have the sandboxing capability of Protected Mode in Vista/7, and it also had malware attacks. I wouldn't say Firefox is any more secure than IE in that matter.

            IE on Vista and 7 has Protected Mode, and that seriously limits the ability of malware from taking total control of the machine. That is, unless a user is tricked into doing something, but you can easily do that on any system and that argument has little merit either way. If you count the ability to trick the user into doing anything, then you might as well forget about any kind of security updates whatsoever. Antimalware warnings should be considered your last line of defense against the user allowing something bad to run.

            The point is, Protected Mode won't allow malicious software to instantly take control of the system *automatically*. Possibly only the current browser session, but that's about it. Chrome is supposed to have that ability, but we'll see how well it fares. Google certainly doesn't seem to be the company that cares too much about security.
            Joe_Raby