While making a browser can pave the way to lucrative advertising revenue contracts, it can also be a headache in terms of providing the user with security, as users will typically interact with a broad variety of websites, some of which may be compromised or insecure. When you’re the top player in the browser market, like Microsoft, this problem becomes especially serious.
Microsoft typically has a pretty good security track record, but under the enormous pressure of safeguarding millions of business users, cracks in its armor can appear. Thus was the case with a new flaw in Microsoft Internet Explorer, which the company posted an advisory (97352) about yesterday.
The advisory describes, “The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”
McAfee’s George Kurtz was the first to post on the flaw, with a security blog yesterday afternoon. He offered more details about the DOM memory corruption vulnerability and revealed that it had been used by attackers in China to steal info from Google. This was somewhat unusual, as often flaws get published with nary a “in the wild” attack, or at worst mild attacks on individual users.
In this case the flaw wasn’t overly severe, but the attackers were unusually sophisticated and struck out at businesses, looking to steal their data. Writes Dmitri Alperovitch, a vice president of research with McAfee, “We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space.”
Despite the fact that Google makes its own browser (Chrome), apparently many of Google’s corporate computers instead use rival Microsoft’s Internet Explorer, the standard in the business world. As Internet Explorer 8’s Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7. This is actually quite typical — IE 8 adoption in the business world has been a slow process — many businesses still use IE 6, even. The DEP protections are optional in IE 7.
In total, Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.
Once the attackers execute the memory attack, they use it to download and run an executable — a malicious trojan that allows remote access to corporate machines. The entire set of attacks has become known as “Operation Aurora”. Aside from Google, other high profile targets lost potentially sensitive information, including design software maker Adobe Systems Inc. (though Adobe insists that it lost no IP). Google and Adobe are both reportedly trying to help Microsoft investigate the attacks.
Microsoft CEO Steve Ballmer apologized for the security mishap, stating, “We need to take all cyber attacks, not just this one, seriously. We have a whole team of people that responds in very real time to any report that it may have something to do with our software, which we don’t know yet.”
One bothersome detail, though, is that Microsoft apparently has known about the flaw and existence of attacks in the wild for some time, but did not publish a security advisor until after McAfee aired the flaw. This meant that while high profile business users likely knew about the flaw, most private users were left unaware of the danger (albeit, fewer private users run IE 6 or IE 7 than business users).
The attack on Google occurred in mid-December, so the attacks have been live for almost a month now, at least. Reportedly 20 other major companies have since been compromised. Currently, the only complete solution that offers complete protection against the attack is to adopt IE 8 or turn on DEP in IE 7. McAfee has aired security software updates that provide partial protection against the malware associated with the attack, but it warns that current coverage is complete
If there’s one moral of this story, it’s not so much anything to do with Microsoft or Google, but more an observation of the state of internet security in general. As many observers have noted, attackers in recent years are becoming bolder, more organized, and in it for the money.
Unlike hackers of yore that largely hacked for respect or fame, this new breed of attacker, largely based out of Eastern Europe, Russia, Africa, and China, hacks for profit. That presents a unique challenge to firms like Microsoft. A kid hacking into Google would be a bad enough, but a savvy professional who knows how to leverage the stolen information — that’s a security nightmare. And it’s one that’s quickly becoming reality, as evidenced by this most recent round of attacks.