Hackers in China rumored to have hacked Google with IE zero day

 Print E-mail

19 January 2010 -- Last week, big news surfaced about Chinese hackers breaching Google, and many other well-known technology companies, possibly stealing source code and intellectual property. It all started last Tuesday, when Google disclosed that an attacker based in China had hacked the gmail accounts of certain human rights activists. In reaction to this attack, Google warned that they would no longer censor search results on their Chinese search site - something they originally had to do in order to conduct business in China.

Shortly after Google reported their breach, around 20 other companies reported breaches that appeared to be related - companies like Adobe, Yahoo, and Juniper. At first, reports suggested that the attackers used a vulnerability in Adobe's PDF Reader to breach these networks. However, this week it has become clear that a zero day Internet Explorer (IE) vulnerability was at fault. According to a security advisory Microsoft released this week, IE 6, 7, and 8 suffer from a complex vulnerability involving invalid pointer references in memory (perhaps a double free vulnerability). By enticing you to a malicious web site, an attacker could exploit this unpatched IE flaw to execute code on your computer, with your privileges. Since most Windows users have local administrative privileges, this attack usually results in a full compromise. Making matters worse, this particular IE exploit has now been released publicly. Now anyone can try to use the vulnerability believed to be leveraged in the Google attacks.

This Google hacking incident, which pundits are calling "Aurora," has already created huge waves in the security arena. It has political, business, and security ramifications that experts will have to consider for a long time to come. However, I'm more concerned with practical advice. What am I - a business network administrator - supposed to do about the IE zero day vulnerability while I wait for Microsoft to release patches? Here are a few suggestions:

  • Set your Internet Security Zone level to "High." Microsoft claims this could prevent this attack.
  • If you have a newer version of Windows (Vista and beyond), run IE in "Protected Mode." (see Microsoft's security advisory for more details)
  • Keep your antivirus and antimalware solutions up to date. They should have signatures for the publicly released exploit.
  • You could also use Firefox with NoScript in the interim. While Firefox does have its own security flaws, I find combining it with NoScript protects you from a large portion of web threats.
  • Finally, watch for Microsoft's patch

Many people, me included, expect Microsoft to release an out-of-cycle patch for this IE flaw before next Patch Tuesday. If you are a WatchGuard LiveSecurity customer, we will release an alert as soon as we see release of this patch. Nonetheless, I highly recommend you keep an eye on Microsoft's security page, so that you can jump on this patch as soon as it becomes available. -- Corey Nachreiner, CISSP
 
"The QUADRA Alliance is a coalition of full service IT providers of international quality and size based in the Philippines. The Alliance's expertise involves working locally from system design to delivery throughout Southeast Asia. The companies Acuity Technologies, Imaginet International Inc, and Paperlesstrail, Inc , form the QUADRA Alliance ."