'Operation Aurora' Google China patches imminent

Microsoft will soon be releasing patches for the vulnerabilities highlighted by the recent Google China hacks. The so-called Operation Aurora malware exploited bugs in IE, causing Redmond to issue fixes outside its usual second-Tuesday schedule. In IT Blogwatch, bloggers dig into the details and continue to point fingers at China.

By Richi Jennings. January 21, 2010.


Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention Farmville!!!

    Nick Eaton kicks us off:

Microsoft said that its emergency security patch for Internet Explorer will be released Thursday. ... [It's] an unscheduled patch for the IE vulnerability that contributed to the high-profile cyber attacks Google publicized last week.


For users who have automatic updates enabled, the patch will download automatically via Windows Update. ... Microsoft recommends [others] install the patch as soon as possible. ...Microsoft also said it will host a public Webcast at 1 p.m. Pacific time Thursday. ... People can register here.

Larry Seltzer crows:

I called it correctly that Microsoft would issue an out-of-band patch, but I called a bunch of things wrong: It appears that Microsoft will patch all affected versions of IE on all versions of Windows, and they are calling nearly all configurations for the exploit "critical." ... Probably because of reports from Vupen Security that they have an exploit which bypasses DEP.


According to Microsoft, the inconsistencies in the severity ratings are due to the fact that the Aurora bug will not be the only one patched tomorrow. Eight vulnerabilities will be patched.

Graham Cluley gets a clue:

That's not just news for Internet Explorer users, of course. It's also positive news for the folks at Microsoft ... since European governments advised users to switch browsers. I was always a bit wary of that advice, anyway. Many firms have found it hard enough to switch from the (now somewhat creaky) Internet Explorer version 6 to the latest edition, let alone deal with the possible complications that could arise when you change to another browser.


Microsoft should be praised for its rapid response to a critical situation. It couldn't have been easy for its team to produce the patch so quickly. The Internet will be a little bit safer once everyone rolls out the patch.

Microsoft's Jerry Bryant has all the deetz:

We will be releasing MS10-002 ... January 21st ... 10:00 a.m. PST. ... Once applied, customers are protected against the known attacks that have been widely publicized. ... We also updated Security Advisory 979352 to include technical details ... [and] guidance in relation to reports of proof of concept (POC) code that bypasses Data Execution Prevention (DEP).


We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file. Customers would have to open a malicious file to be at risk of exploitation. To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office.

Emil Protalinski prognosticates:

The fact that the update is being released out-of-band ... shows how serious the company is taking this. ... The patch will fix vulnerabilities in IE6, IE7, and IE8 on supported editions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.


The company admitted that its own investigations into the highly organized hacking attack in late December ... had concluded that a Remote Code Execution vulnerability in IE was used. ... That vulnerability is triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element; attack code may be executed if it is successfully placed in a random location of freed memory.

And Taylor Buley follows the money:

Word of the attack spread quickly and the German, French and Australian governments soon issued warnings about using Internet Explorer. ... Achtung! they urged. And the would-be response from technology companies? Danke schön!
[It] turned out to be a great marketing opportunity for McAfee, which is now prominently displaying an "Operation Aurora" graphic on its homepage and posting hyperlinks to a trial version of its antivirus software. ... In the end, it may even prove beneficial to Microsoft. The software giant is using the IE6 vulnerability as an opportunity to push IE8.

Meanwhile, Joe Stewart points another finger at the People's Republic of China:

"Operation Aurora" is the latest in a series of attacks originating out of Mainland China.  Previous attacks have been known as – "GhostNet" and "Titan Rain." [But] ... outside of the fact that PRC IP addresses have been used as control servers in the attacks, there is no "hard evidence" of involvement of the PRC.
There is one interesting clue in the Hydraq binary that points back to mainland China, however. While analyzing the samples, I noticed a CRC ... algorithm that seemed somewhat unusual ... evidence that someone from within the PRC authored the Aurora codebase. And certainly, considering the scope, choice of targets and the overwhelming boldness of the attacks (in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored.

So what's your take?
Get involved: leave a comment.

And finally...

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email: itblogwatch@richij.com.

Don't miss out on IT Blogwatch:

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon