Microsoft confirms IE zero-day behind Google attack
Bets are on that Microsoft will rush patch to deflect public relations nightmare
Computerworld - Microsoft issued a security advisory today that warned users of a critical and unpatched vulnerability in Internet Explorer (IE), and acknowledged that it had been used to hack several companies' networks.
"We have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks," said Mike Reavey, director of Microsoft's Security Response Center (MSRC), in a post to the group's blog.
Earlier today, antivirus company McAfee said the IE bug had been exploited by hackers who had attacked computer networks of nearly three dozen major companies between mid-December 2009 and Jan. 4, 2010. McAfee said then that Microsoft would soon release this advisory.
The security advisory said that the only version of IE not containing the critical flaw was IE 5.01 running on Windows 2000. All other versions, including IE6, IE7 and IE8 on Windows 2000, XP, Server 2003, Vista, Server 2008, Windows 7 and Server 2008 R2 are vulnerable to attack.
Even so, Reavey downplayed the threat to average Windows users. "Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE6 at this time," he said.
"An IE zero-day in all versions," said Andrew Storms, director of security operations at nCircle Network Security, "so by no means is this good for Microsoft. The only encouraging news is that there are tools that protect Vista and Windows 7 on IE7 and newer, so that an exploit would crash [those browsers] rather than allow code execution." Storms was referring to security provisions within IE, including DEP (data execution prevention) and Protected Mode, on newer versions of Windows.
Microsoft's Reavey hammered that home as well. "Protected Mode in IE 7 on Windows Vista and later significantly reduces the ability of an attacker to impact data on a user's machine," Reavey said. "Customers should also enable Data Execution Prevention, which helps mitigate online attacks."
Although DEP is on by default in IE8, it must be manually switched on in IE6 and IE7. Users can enable DEP by using the "Fix it" tool Microsoft has posted on its support site.
As McAfee noted earlier today, an IE user's PC could be hijacked simply by steering the browser to a malicious site, or to a compromised legitimate site that hosted attack code.
Microsoft said users could also protect themselves to some degree by setting the PC's Internet zone's security to the "High" option, but warned that it wasn't surefire. "It is important to note that the vulnerable code may be reached even with these protections in place," the company said in the advisory. "However, any attacks would be less successful with these workarounds in place."
Web giants attacked
- White House orders security review in wake of WikiLeaks disclosure
- Leaked U.S. document links China to Google attack
- Update: Researchers track cyber-espionage ring to China
- Google, China now playing cat and mouse?
- McAfee: 'Amateur' malware not used in Google attacks
- Military warns of 'increasingly active' cyber-threat from China
- China: Google 'totally wrong' to stop censoring
- Update: Google stops censoring in China
- Google's China ad partners wait in 'incomparable pain'
- Google may soon leave China, reports say
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Cybercrime and Hacking White Papers | Webcasts