Patch arrives for IE hole targeted by Chinese

Home

Newsletter

Search

Reviews

Polls

Contact

This issue

Library

Upgrade

Preferences

Unsubscribe

Windows Secrets Newsletter • Issue 228 • 2010-01-21 • Circulation: over 400,000

Table of contents
TOP STORY: Patch arrives for IE hole targeted by Chinese
WACKY WEB WEEK: This vending machine gives and gives and gives
LANGALIST PLUS: Extend the life of your laptop's battery
INSIDER TRICKS: Five productivity-enhancing Registry tweaks
PERIMETER SCAN: Browser forensic tools find malware entry points

ADS

New — never reinstall your PC again
Looking for a permanent solution for your dysfunctional PC? Don't compromise — get our new, state-of-the-art technology. Reimage requires no setup and causes no loss of data or applications. This is the ultimate professional repair tool, which works like "magic," according to eWeek. Get it now!
Reimage Online PC Repair

Why is your PC so slow?
The PC Matic free scan by PC Pitstop™ will analyze and diagnose multiple aspects of your computer's performance, stability, speed, and security. Run a PC Matic scan today and get 20 PC performance reports customized for your system — FREE!
PC Matic

Windows news: 5 days a week — free
Get news as it happens! Surf over to Infopackets and get your daily fix of Windows news, reviews, tech tips, plus freeware goodies daily — all absolutely free. Bonus: join our Windows newsletter mailing list today, and you'll also receive our highly coveted Top 10 Tech Reports, including: Top 10 PC Security Essentials, Optimization Secrets, Top Freeware Antivirus, and much more.
Infopackets Windows Newsletter

See your ad here

TOP STORY

Patch arrives for IE hole targeted by Chinese

By Yardena Arar

As of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.

The sophisticated "Aurora" exploit is delivered through common file attachments or links — typically in e-mail or other messages that appear to come from trusted sources — but proven security measures and a little common sense can negate all such threats.

The first reports of the cyberattacks that prompted Google to threaten withdrawal from China were alarming indeed. So was Microsoft's first official response, in MS security bulletin 979352, which described the scope of the newly discovered IE vulnerability.

The flaw permits remote code execution by what Microsoft describes as a "specially crafted attack" that affects most versions of Internet Explorer:

IE 6 SP1 on Windows 2000 SP4
IE 6, 7, and 8 on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and Server 2008 R2

Not vulnerable, according to the security bulletin, is Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4.

Microsoft's advance notification of the out-of-cycle patch was released on Jan. 20 and was scheduled to be replaced on Jan. 21 by security bulletin MS10-002, which includes a link to the patch itself. To install the update once it's been posted, visit the Microsoft Update site, choose the Custom option, and select the patch in the list of high-priority updates.

Security analysts and Microsoft agree that the attacks have a high social-engineering component: the targeted victims have to trigger the attacks by clicking a link or infected attachment (commonly an Adobe PDF or Flash file) delivered in e-mail, instant messages, or other electronic communication appearing to come from a trusted source.

Google declined a WS interview request, saying it would have no comment while it continues its investigation.

Exploiting an IE vulnerability, the malicious code directs victims to sites with scripts capable of accessing data from their PCs and otherwise controlling the machines, according to Andrew Brandt, lead threat research analyst at the security software company Webroot. "It was a pretty nasty hybrid scripting and malware attack against the people who were targeted," Brandt added.

Nasty, yes. But novel? While any unpatched vulnerability is bad news, this attack scenario isn't unfamiliar to security veterans. Paul Roberts, enterprise security analyst at the 451 Group, says the attack reminds him of last year's reports about GhostNet, a cyber-spying operation also believed to be based in China that allegedly targeted various government and political entities — including the offices of the Dalai Lama.

"What's new is, there's a very explicit link and overt suggestion from Google and others that this is state-sponsored," Roberts said. But on a technical level, he added, "this is just a summation of many of the trends that companies have been talking about for some time now — advanced persistent threats."

Microsoft downplays the threat, releases a patch

Still, the level of sophistication in the attacks — as well as their high-profile targets — has generated widespread publicity. Microsoft responded with a series of TechNet blog posts that sought to reassure IE users that the attacks have been limited and a fix was imminent.

For example, in a Jan. 19 post on the Microsoft Security Response Center blog, George Stathakopoulos, general manager for Trustworthy Computing Security, announced that an out-of-cycle patch for the vulnerability was forthcoming.

Prior to the patch's release, the MS posts recommended various security measures. Jonathan Ness's Jan. 15 post on the MS Security Research & Defense blog includes a chart laying out the real-world risk of attack for various versions of IE and Windows. The post also provides detailed instructions for defending against the threat.

The vulnerability, Ness wrote, "is an Internet Explorer memory-corruption issue triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model (DOM) element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker's code."

The post's risk-assessment chart suggests that the attack's most-serious threat is to IE 6 on Windows 2000 and XP. IE 7 on Windows XP could be at risk — Microsoft has since acknowledged reports of proof-of-concept code to exploit the vulnerability in IE 7 — but Vista's built-in Protected Mode can block the exploit automatically.

IE 8 is least threatened because Data Execution Prevention (DEP) is enabled by default in all versions of Windows on which IE 8 runs. DEP keeps code from executing in places it shouldn't — effectively shutting down the types of malicious codes delivered through the vulnerability. You should make sure DEP is enabled on all your PCs.

Not sure how to do this? Ness's blog post includes a one-click Fix-it button that enables DEP in versions of XP and Vista where it isn't enabled by default. (DEP requires both CPU and OS support, however.) If you want to use this solution, be sure to read Ness's notes regarding version support and settings.

Further details on DEP — including instructions for determining whether it's available for and enabled on your PC — are available in MS Knowledge Base article 912923. The text of the article suggests the instructions are for XP and Server 2003, but they also work on Vista and Win7.

Find the right mix of preventive measures

Many other security measures also can mitigate the threat. Enabling Protected Mode in IE 7 is imperative. (Protected Mode is on by default in IE 8.) To enable IE Protected Mode in Vista and Win7, click Tools, Internet Options, Security and check the Enable Protected Mode option at the bottom of the window, as shown in Figure 1. Unfortunately, Protected Mode is not available in XP.

Internet Explorer Protected Mode option

Figure 1. Check the box labeled Enable Protected Mode on the Security tab of IE's Options dialog to guard against malware attacks.

Microsoft's security advisory suggests that you also can thwart these types of attacks through a number of additional, fairly drastic measures such as disabling JavaScript in IE, configuring IE to prompt before running Active Scripting and Active X controls, or even disabling these features completely.

However, after browsing a short while with ActiveX and scripting disabled, I quickly reverted to my previous security settings. Without those features on, you're forced to click through a barrage of pop-up prompts, which makes browsing one big annoyance. (Even Microsoft's Ness admits that disabling JavaScript "significantly impacts usability of many Web sites.")

The 451 Group's Roberts says another workaround that's been suggested — blocking ranges of IP addresses known to be assigned to China — isn't advisable. "That's kind of a ham-fisted effort that would not be that effective, ultimately, but would disrupt your business," he said. Also, these kinds of attacks don't emanate from China alone.

But here's an extra deterrent that does work: disabling JavaScript in Adobe Reader, which prevents infected PDFs from delivering code that exploits the vulnerability. This approach is more effective and far less disruptive than shutting down JavaScript, wholesale, in the browser.

To disable JavaScript in Adobe Reader, open Reader and click Edit, Preferences. Choose JavaScript in the left pane, uncheck Enable Acrobat JavaScript in the right pane, and click OK. (See Figure 2.)

Figure 2. Another way to protect against the recent malware attacks is to disable JavaScript in Adobe Reader by unchecking this option.

Webroot's Brandt says very few people encounter legitimate PDFs that use JavaScript. If you do — such as a form that permits data entry — you can always enable the feature for that document only.

After disabling Reader's JavaScript option, you can safely open PDF files that arrive via e-mail. If the file is blank or filled with gibberish, it's probably infected, but the threat has been neutralized.

Roberts recommends that enterprises use virtualization technologies to isolate the browser from other areas of a PC. This effectively prevents malicious code from gaining a foothold.

The best defense: keep all your apps updated

A Jan. 18 TechNet post by MS senior security manager Jerry Bryant recommends upgrading to IE 8 and ensuring that all your software is up-to-date. Thomas Kristensen, chief security officer for Secunia.com, agrees:

"[Aurora] is not at all something that's different from the risk that almost all users expose their systems to every day, because they don't install updates in a timely manner.

"Most users still run old versions of Real Player, Flash, Adobe Reader, Microsoft Office, and so on. There is already a pile of exploits for many of the older vulnerabilities in these programs out there, and thousands of users are being compromised every single day."

Before Microsoft patched the Aurora vulnerability, Kristensen recommended using an alternative browser. But he adds, "an updated browser can't protect against a vulnerability in [for example] Adobe Reader."

Last but not least, heed the advice you've heard time and again: don't blindly click anything that arrives in your inbox unexpectedly — even if it appears to come from a friend or colleague. Everyone I spoke to for this story said it's better to contact the purported sender with a quick phone call or e-mail to ask about a suspicious link or attachment rather than click blindly and risk having your PC compromised.

Have more info on this subject? Post your tip in the WS Columns forum.

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.

Table of contents

WACKY WEB WEEK

This vending machine gives and gives and gives

By Stephanie Small

A refreshing beverage or snack straight from a vending machine is a simple treat that almost everyone enjoys. Whether at work or school, allowing yourself to indulge in a soda or a cookie brings pleasure to even the most ordinary day.

Just imagine having the vending machine in this video at your school or workplace! Giving away everything from flowers to food — as well as cold, refreshing Coca-Colas — this treat dispenser produces more delighted responses than any vending machine you've ever dropped a coin into. You never know what it will dispense next! Play the video

Table of contents

ADS

Your old drivers are slowing down your PC
Driver Detective provides the most up-to-date drivers specific to your computer, including all major-brand OEMs (Dell, HP, Compaq, Toshiba, etc.) and generic brands. We access a database of over 9.2 million device-associated drivers — the largest driver update database on the Internet. Driver Detective saves you endless hours of work and aggravation normally associated with updating drivers.
Driver Detective

Get your message seen by 400,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 400,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement. Take advantage of our all-new design interface, allowing larger images and longer text, and get updated stats in real time!
Windows Secrets Newsletter

See your ad here

PERMALINKS

Use these permalinks to share info with friends

We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam," and corporate filters start blocking our e-mails.)

The following link includes all articles this week: http://WindowsSecrets.com/comp/100121

Free content posted on Jan. 21, 2010:

TOP STORY
By Yardena Arar
Patch arrives for IE hole targeted by Chinese
Microsoft downplays the threat, releases a patch
Find the right mix of preventive measures
The best defense: Keep all your apps updated

WACKY WEB WEEK
By Stephanie Small
This vending machine gives and gives and gives

You get all of the following in our paid content:

	LANGALIST PLUS By Fred Langa Extend the life of your laptop's battery The care and feeding of laptop batteries What's causing the "event ID 51" disk errors? Should I use Safe Mode for routine maintenance? Does a ReadyBoost flash drive really boost? What's this about Windows 7's "God Mode"?
	INSIDER TRICKS By Scott Dunn Five productivity-enhancing Registry tweaks Before you begin, create a restore point Shift your Start menu into overdrive Don't let stalled programs slow you down Shut Windows down in the blink of an eye Suppress Windows' annoying low-disk-space pop-up Add an encryption option to your context menu If things go awry, just push the Panic button
	PERIMETER SCAN By Ryan Russell Browser forensic tools find malware entry points Your browser history tells the malware tale Pinpoint the time of the malware infection Examine your browser's cache for clues Other investigative tools for your browser

Get our paid content by making any contribution

There's no fixed fee! Contribute whatever it's worth to you
Readers who make a financial contribution of any amount by Jan. 27, 2010, will immediately receive the latest issue of our full, paid newsletter and 12 months of new paid content. Pay as much or as little as you like — we want as many people as possible to have this information.

A portion of your support helps children in developing countries
Each month, we send a full year of sponsorship to a different child. Your contributions in January are helping us to sponsor John, a 5-year-old boy from the Philippines. Children International channels development aid from donors to John and his community. We also sponsor kids through Save the Children and Plan USA. More info

Use the link below to learn more about the benefits of becoming a paid subscriber!

More info on how to upgrade

Thanks in advance for your support!

Table of contents

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial director: Brian Livingston. Senior editors: Fred Langa, Woody Leonhard, Ian Richards. Technical editor: Dennis O'Reilly. Program director: Tony Johnston. Web Developer: Damian Wadley. Research director: Stephanie Small. Copyeditor: Roberta Scholz. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Ryan Russell, Robert Vamosi, Becky Waring.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents