There has been considerable coverage in the press over the last few days of Google’s claim that its network had been attacked from China, possibly with the connivance or active support of the Chinese government, and Google’s threat to withdraw from that market. It has also been reported that several other large technology companies, notably Adobe, were also attacked. Google said that the attackers apparently made of with some of its software, in addition to attempting to access the E-mail accounts of Chinese human rights activists.
An article in the “Threat Level” blog at Wired provides some interesting technical information on the attack; there is also a note at Technology Review. The attacks were apparently targeted; that is, they were designed for and directed at the specific firms in question. The initial attack vector was apparently a previously unreported (“zero-day”) vulnerability in Microsoft’s Internet Explorer Web browser. Apparently, under some circumstances, when an ActiveX (executable browser component) is deleted, an invalid pointer is left in an accessible location within Internet Explorer, and a carefully-crafted attack can exploit this to execute arbitrary code. McAfee Security’s Chief Technical Officer, George Kurtz, has put up a blog post with some further analysis and commentary on the attack.
Microsoft has issued a Security Advisory (979352) about the vulnerability. The way the advisory is written is somewhat amusing; the first sentence of substance begins:
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected.
which I am sure will reassure all those people still using that version — yes, both of them. It then goes on to say that all other supported versions of IR on all supported versions of Windows are vulnerable. There is a section of the Advisory that lists mitigating factors. Basically, apart from the standard advice that you should not run everything as Administrator, there really are no mitigations.
Now, the average user is probably not of much interest to the Chinese government or other sophisticated attackers. On the other hand, history suggests a couple of relevant observations:
- Attacks always get better. Today’s ultra-sophisticated attack will be packaged for use by script kiddies before you know it.
- Internet Explorer is a security nightmare. It has had a constant stream of security patches in every version since it was introduced, and there is no evidence that I’ve found that it is getting any better. The ActiveX mechanism, from a security point of view, is broken by design — something that many security folks have been saying for years.
I am sure there will be more plot twists and turns in this ongoing melodrama. For ordinary folks, though, I think this is one more reminder of why using Internet Explorer is a Bad Idea.
[...] Exploit Code Published Well, that didn’t take long. In my post yesterday about the use of a newly-discovered vulnerability in Internet Explorer to attack Google and other [...]
Hallo, wirklich hervorragender Bericht und ein sehr guter Tipp von dir, lese dein Blog allgemein sehr gern. Habe mir jetzt ein neuen PC gekauft und hierbei funktioniert die Kommentarfunktion in deinem Blog nicht, scheint allgemein unter Chrome nicht zu funktionieren.
Vielen Dank für Ihren Kommentar. Ich hoffe, daß Sie meine Schreiben in englischer Sprache vergeben wird. (Mein Deutsch ist ein wenig schwach.)
I have tried the comment function with Chrome 4.0.249.43 on Linux (Ubuntu 9.04) and it seems to be working OK. I’ll try it with Chrome on Windows later today when I’m where I can use a Windows machine.
There is a posting delay built into comments if you have not previously posted — this is so I have a chance to get rid of the most obvious spam.