Patch arrives for IE hole targeted by Chinese

Yardena arar By Yardena Arar

As of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.

The sophisticated “Aurora” exploit is delivered through common file attachments or links — typically in e-mail or other messages that appear to come from trusted sources — but proven security measures and a little common sense can negate all such threats.

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 10, Windows 8, Windows 7, Firefox, Internet Explorer, Google, etc. Join our 460,000 subscribers!

Enter your email above to receive messages about offerings by Penton, its brands, affiliates and/or third-party partners, consistent with Penton's Privacy Policy.
The Windows 7, Vol 3 (Excerpt)

Subscribe and get our monthly bonuses - free!

The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!

The first reports of the cyberattacks that prompted Google to threaten withdrawal from China were alarming indeed. So was Microsoft’s first official response, in MS security bulletin 979352, which described the scope of the newly discovered IE vulnerability.

The flaw permits remote code execution by what Microsoft describes as a “specially crafted attack” that affects most versions of Internet Explorer:
  • IE 6 SP1 on Windows 2000 SP4

  • IE 6, 7, and 8 on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and Server 2008 R2
Not vulnerable, according to the security bulletin, is Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4.

Microsoft’s advance notification of the out-of-cycle patch was released on Jan. 20 and was scheduled to be replaced on Jan. 21 by security bulletin MS10-002, which includes a link to the patch itself. To install the update once it’s been posted, visit the Microsoft Update site, choose the Custom option, and select the patch in the list of high-priority updates.

Security analysts and Microsoft agree that the attacks have a high social-engineering component: the targeted victims have to trigger the attacks by clicking a link or infected attachment (commonly an Adobe PDF or Flash file) delivered in e-mail, instant messages, or other electronic communication appearing to come from a trusted source.

Google declined a WS interview request, saying it would have no comment while it continues its investigation.

Exploiting an IE vulnerability, the malicious code directs victims to sites with scripts capable of accessing data from their PCs and otherwise controlling the machines, according to Andrew Brandt, lead threat research analyst at the security software company Webroot. “It was a pretty nasty hybrid scripting and malware attack against the people who were targeted,” Brandt added.

Nasty, yes. But novel? While any unpatched vulnerability is bad news, this attack scenario isn’t unfamiliar to security veterans. Paul Roberts, enterprise security analyst at the 451 Group, says the attack reminds him of last year’s reports about GhostNet, a cyber-spying operation also believed to be based in China that allegedly targeted various government and political entities — including the offices of the Dalai Lama.

“What’s new is, there’s a very explicit link and overt suggestion from Google and others that this is state-sponsored,” Roberts said. But on a technical level, he added, “this is just a summation of many of the trends that companies have been talking about for some time now — advanced persistent threats.”

Microsoft downplays the threat, releases a patch

Still, the level of sophistication in the attacks — as well as their high-profile targets — has generated widespread publicity. Microsoft responded with a series of TechNet blog posts that sought to reassure IE users that the attacks have been limited and a fix was imminent.

For example, in a Jan. 19 post on the Microsoft Security Response Center blog, George Stathakopoulos, general manager for Trustworthy Computing Security, announced that an out-of-cycle patch for the vulnerability was forthcoming.

Prior to the patch’s release, the MS posts recommended various security measures. Jonathan Ness’s Jan. 15 post on the MS Security Research & Defense blog includes a chart laying out the real-world risk of attack for various versions of IE and Windows. The post also provides detailed instructions for defending against the threat.

The vulnerability, Ness wrote, “is an Internet Explorer memory-corruption issue triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model (DOM) element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker’s code.”

The post’s risk-assessment chart suggests that the attack’s most-serious threat is to IE 6 on Windows 2000 and XP. IE 7 on Windows XP could be at risk — Microsoft has since acknowledged reports of proof-of-concept code to exploit the vulnerability in IE 7 — but Vista’s built-in Protected Mode can block the exploit automatically.

IE 8 is least threatened because Data Execution Prevention (DEP) is enabled by default in all versions of Windows on which IE 8 runs. DEP keeps code from executing in places it shouldn’t — effectively shutting down the types of malicious codes delivered through the vulnerability. You should make sure DEP is enabled on all your PCs.

Not sure how to do this? Ness’s blog post includes a one-click Fix-it button that enables DEP in versions of XP and Vista where it isn’t enabled by default. (DEP requires both CPU and OS support, however.) If you want to use this solution, be sure to read Ness’s notes regarding version support and settings.

Further details on DEP — including instructions for determining whether it’s available for and enabled on your PC — are available in MS Knowledge Base article 912923. The text of the article suggests the instructions are for XP and Server 2003, but they also work on Vista and Win7.

Find the right mix of preventive measures

Many other security measures also can mitigate the threat. Enabling Protected Mode in IE 7 is imperative. (Protected Mode is on by default in IE 8.) To enable IE Protected Mode in Vista and Win7, click Tools, Internet Options, Security and check the Enable Protected Mode option at the bottom of the window, as shown in Figure 1. Unfortunately, Protected Mode is not available in XP.

Internet explorer protected mode option
Figure 1. Check the box labeled Enable Protected Mode on the Security tab of IE’s Options dialog to guard against malware attacks.

Microsoft’s security advisory suggests that you also can thwart these types of attacks through a number of additional, fairly drastic measures such as disabling JavaScript in IE, configuring IE to prompt before running Active Scripting and Active X controls, or even disabling these features completely.

However, after browsing a short while with ActiveX and scripting disabled, I quickly reverted to my previous security settings. Without those features on, you’re forced to click through a barrage of pop-up prompts, which makes browsing one big annoyance. (Even Microsoft’s Ness admits that disabling JavaScript “significantly impacts usability of many Web sites.”)

The 451 Group’s Roberts says another workaround that’s been suggested — blocking ranges of IP addresses known to be assigned to China — isn’t advisable. “That’s kind of a ham-fisted effort that would not be that effective, ultimately, but would disrupt your business,” he said. Also, these kinds of attacks don’t emanate from China alone.

But here’s an extra deterrent that does work: disabling JavaScript in Adobe Reader, which prevents infected PDFs from delivering code that exploits the vulnerability. This approach is more effective and far less disruptive than shutting down JavaScript, wholesale, in the browser.

To disable JavaScript in Adobe Reader, open Reader and click Edit, Preferences. Choose JavaScript in the left pane, uncheck Enable Acrobat JavaScript in the right pane, and click OK. (See Figure 2.)

Disable javascript in adobe reader
Figure 2. Another way to protect against the recent malware attacks is to disable JavaScript in Adobe Reader by unchecking this option.

Webroot’s Brandt says very few people encounter legitimate PDFs that use JavaScript. If you do — such as a form that permits data entry — you can always enable the feature for that document only.

After disabling Reader’s JavaScript option, you can safely open PDF files that arrive via e-mail. If the file is blank or filled with gibberish, it’s probably infected, but the threat has been neutralized.

Roberts recommends that enterprises use virtualization technologies to isolate the browser from other areas of a PC. This effectively prevents malicious code from gaining a foothold.

The best defense: keep all your apps updated

A Jan. 18 TechNet post by MS senior security manager Jerry Bryant recommends upgrading to IE 8 and ensuring that all your software is up-to-date. Thomas Kristensen, chief security officer for, agrees:
  • “[Aurora] is not at all something that’s different from the risk that almost all users expose their systems to every day, because they don’t install updates in a timely manner.

    “Most users still run old versions of Real Player, Flash, Adobe Reader, Microsoft Office, and so on. There is already a pile of exploits for many of the older vulnerabilities in these programs out there, and thousands of users are being compromised every single day.”
Before Microsoft patched the Aurora vulnerability, Kristensen recommended using an alternative browser. But he adds, “an updated browser can’t protect against a vulnerability in [for example] Adobe Reader.”

Last but not least, heed the advice you’ve heard time and again: don’t blindly click anything that arrives in your inbox unexpectedly — even if it appears to come from a friend or colleague. Everyone I spoke to for this story said it’s better to contact the purported sender with a quick phone call or e-mail to ask about a suspicious link or attachment rather than click blindly and risk having your PC compromised.

Have more info on this subject? Post your tip in the WS Columns forum.

WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.
= Paid content

All Windows Secrets articles posted on 2010-01-21:

Yardena Arar

About Yardena Arar

Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor at PC World magazine from 1996 to 2009, and is now a PC World contributing editor.