New IE hole exploited in attacks on U.S. firms

Microsoft warns about zero-day hole in Internet Explorer that was used in targeted attacks on Google and other U.S. companies, and which Google claims originated in China.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
5 min read

Attackers targeting Google and a host of other U.S. companies recently used software that exploits a new hole in Internet Explorer, Microsoft said Thursday.

"Internet Explorer was one of the vectors" used in the attacks that Google disclosed earlier this week, Microsoft said in a statement. "To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6," the statement said.

The vulnerability affects Internet Explorer 6, IE 7, and IE 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4, Microsoft said in an advisory on Thursday afternoon.

Google disclosed the attacks targeting it and other U.S. companies on Tuesday and said the attacks originated in China. Human rights activists who use Gmail also were targeted, Google said.

Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.

Microsoft said the vulnerability in IE exists as an invalid pointer reference and that it could allow an attacker to take control of a computer if the target were duped into clicking on a link in an e-mail or an instant message that led to a Web site hosting malware. "It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems," Microsoft said in the statement.

Microsoft is working on a fix but could not say whether it would address the issue as part of its next Patch Tuesday scheduled for February 9 or before.

Keeping the IE Internet zone security setting on "high" will protect users from the vulnerability by prompting before running ActiveX Controls and Active Scripting, Microsoft said. Customers should also enable Data Execution Prevention (DEP), which helps mitigate online attacks, the company said. DEP is enabled by default in IE 8 but must be manually turned on in earlier versions.

Microsoft acknowledged Google, Mandiant, Adobe Systems, and McAfee for working with the company and providing details on the attack.

Operation Aurora
Earlier on Thursday, McAfee CTO George Kurtz detailed the vulnerability in a blog post.

"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property," Kurtz wrote. "These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That's when the exploitation takes place, using the vulnerability in Microsoft's Internet Explorer."

"We believe this attack is a watershed moment. We've never seen this level of sophistication on attacks targeting commercial companies that aren't affiliated with a government or the defense industrial base."
--Dmitri Alperovitch, VP of threat research, McAfee

Many targeted attacks involve a "cocktail" of zero-day vulnerabilities combined with social engineering, he said. "So there very well may be other attack vectors that are not known to us at this time," he wrote.

Initially, security researchers investigating the attacks believed that a hole in Adobe Reader was a culprit, but Adobe has said that it has no evidence to suggest that a vulnerability in its technology was an attack vector.

McAfee believes the internal name attackers gave to the operation was "Aurora," which the code indicated was the directory name on the computer where the code was compiled into an executable file, said Dmitri Alperovitch, vice president of threat research at McAfee.

The attack was notable for its level of sophistication, using obfuscation techniques not typically seen in attacks on corporations, he said. It dropped about 10 different malicious files with different capabilities that were used at different stages of the infection and used crypto and other techniques to avoid detection, he added.

"The exploit itself was a piece of JavaScript code that encrypted itself and had multiple layers of encryption that got you to the executable binary code, which phoned home and then pulled an encrypted file from an external server," Alperovitch said. "That file used multiple keys for encryption and once it was decrypted it turned into an executable that dropped various modules onto the infected system."

One of the modules was a back door that phoned home to a different server and established an encrypted channel designed to avoid detection by masquerading as an Secure Sockets Layer protocol, he said. "That allowed the hackers to connect to the machine and basically take it over remotely. From then on they had a beachhead to explore the rest of the network for reconnaissance."

Asked what what type of data or areas of the network the code was programmed to look for or access, Alperovitch said "We saw the backdoor, but we did not see the capability in the malware to scan networks and locate things."

The attacks lasted about three weeks, from mid-December until January 4 and were most likely timed to coincide with the holiday season when offices would be closed or lightly staffed, he said.

In early January the command-and-control channels that the code used to receive instructions from the attackers were shut down, he said, adding, "So, we could not verify where the data was going or whether there were links to China."

He said he does not know why the command-and-control servers were shut down. They were located in Taiwan and in Texas and Illinois, he said.

"We believe this attack is a watershed moment," Alperovitch said. "We've never seen this level of sophistication on attacks targeting commercial companies that aren't affiliated with a government or the defense industrial base."

Wired initially reported the IE hole earlier on Thursday, citing an unnamed source.

Updated 7:10 p.m. PST with more details from McAfee and 3:30 p.m. PST with Microsoft advisory and details and 2:33 p.m. PST to clarify that Google, not McAfee, said attacks came from China and 1:05 p.m. PST with Microsoft comment and more details from McAfee's George Kurtz.