As of this writing, Microsoft is scheduled to release on Jan. 21 an update that fixes the Internet Explorer vulnerability behind the recent, highly publicized cyberattacks on Google and other major corporations.
The sophisticated “Aurora” exploit is delivered through common file attachments or links — typically in e-mail or other messages that appear to come from trusted sources — but proven security measures and a little common sense can negate all such threats.
Subscribe to our Windows Secrets Newsletter - It's Free!
Subscribe and get our monthly bonuses - free!
Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!
The first reports of the cyberattacks that prompted Google to threaten withdrawal from China were alarming indeed. So was Microsoft’s first official response, in MS security bulletin 979352, which described the scope of the newly discovered IE vulnerability.
The flaw permits remote code execution by what Microsoft describes as a “specially crafted attack” that affects most versions of Internet Explorer:
- IE 6 SP1 on Windows 2000 SP4
- IE 6, 7, and 8 on Windows XP, Vista, Windows 7, Windows Server 2003, and Windows Server 2008 and Server 2008 R2
Microsoft’s advance notification of the out-of-cycle patch was released on Jan. 20 and was scheduled to be replaced on Jan. 21 by security bulletin MS10-002, which includes a link to the patch itself. To install the update once it’s been posted, visit the Microsoft Update site, choose the Custom option, and select the patch in the list of high-priority updates.
Security analysts and Microsoft agree that the attacks have a high social-engineering component: the targeted victims have to trigger the attacks by clicking a link or infected attachment (commonly an Adobe PDF or Flash file) delivered in e-mail, instant messages, or other electronic communication appearing to come from a trusted source.
Google declined a WS interview request, saying it would have no comment while it continues its investigation.
Exploiting an IE vulnerability, the malicious code directs victims to sites with scripts capable of accessing data from their PCs and otherwise controlling the machines, according to Andrew Brandt, lead threat research analyst at the security software company Webroot. “It was a pretty nasty hybrid scripting and malware attack against the people who were targeted,” Brandt added.
Nasty, yes. But novel? While any unpatched vulnerability is bad news, this attack scenario isn’t unfamiliar to security veterans. Paul Roberts, enterprise security analyst at the 451 Group, says the attack reminds him of last year’s reports about GhostNet, a cyber-spying operation also believed to be based in China that allegedly targeted various government and political entities — including the offices of the Dalai Lama.
“What’s new is, there’s a very explicit link and overt suggestion from Google and others that this is state-sponsored,” Roberts said. But on a technical level, he added, “this is just a summation of many of the trends that companies have been talking about for some time now — advanced persistent threats.”
Microsoft downplays the threat, releases a patch
Still, the level of sophistication in the attacks — as well as their high-profile targets — has generated widespread publicity. Microsoft responded with a series of TechNet blog posts that sought to reassure IE users that the attacks have been limited and a fix was imminent.
For example, in a Jan. 19 post on the Microsoft Security Response Center blog, George Stathakopoulos, general manager for Trustworthy Computing Security, announced that an out-of-cycle patch for the vulnerability was forthcoming.
Prior to the patch’s release, the MS posts recommended various security measures. Jonathan Ness’s Jan. 15 post on the MS Security Research & Defense blog includes a chart laying out the real-world risk of attack for various versions of IE and Windows. The post also provides detailed instructions for defending against the threat.
The post’s risk-assessment chart suggests that the attack’s most-serious threat is to IE 6 on Windows 2000 and XP. IE 7 on Windows XP could be at risk — Microsoft has since acknowledged reports of proof-of-concept code to exploit the vulnerability in IE 7 — but Vista’s built-in Protected Mode can block the exploit automatically.
IE 8 is least threatened because Data Execution Prevention (DEP) is enabled by default in all versions of Windows on which IE 8 runs. DEP keeps code from executing in places it shouldn’t — effectively shutting down the types of malicious codes delivered through the vulnerability. You should make sure DEP is enabled on all your PCs.
Not sure how to do this? Ness’s blog post includes a one-click Fix-it button that enables DEP in versions of XP and Vista where it isn’t enabled by default. (DEP requires both CPU and OS support, however.) If you want to use this solution, be sure to read Ness’s notes regarding version support and settings.
Further details on DEP — including instructions for determining whether it’s available for and enabled on your PC — are available in MS Knowledge Base article 912923. The text of the article suggests the instructions are for XP and Server 2003, but they also work on Vista and Win7.
Find the right mix of preventive measures
Many other security measures also can mitigate the threat. Enabling Protected Mode in IE 7 is imperative. (Protected Mode is on by default in IE 8.) To enable IE Protected Mode in Vista and Win7, click Tools, Internet Options, Security and check the Enable Protected Mode option at the bottom of the window, as shown in Figure 1. Unfortunately, Protected Mode is not available in XP.
Figure 1. Check the box labeled Enable Protected Mode on the Security tab of IE’s Options dialog to guard against malware attacks.
The 451 Group’s Roberts says another workaround that’s been suggested — blocking ranges of IP addresses known to be assigned to China — isn’t advisable. “That’s kind of a ham-fisted effort that would not be that effective, ultimately, but would disrupt your business,” he said. Also, these kinds of attacks don’t emanate from China alone.
Roberts recommends that enterprises use virtualization technologies to isolate the browser from other areas of a PC. This effectively prevents malicious code from gaining a foothold.
The best defense: keep all your apps updated
A Jan. 18 TechNet post by MS senior security manager Jerry Bryant recommends upgrading to IE 8 and ensuring that all your software is up-to-date. Thomas Kristensen, chief security officer for Secunia.com, agrees:
- “[Aurora] is not at all something that’s different from the risk that almost all users expose their systems to every day, because they don’t install updates in a timely manner.
“Most users still run old versions of Real Player, Flash, Adobe Reader, Microsoft Office, and so on. There is already a pile of exploits for many of the older vulnerabilities in these programs out there, and thousands of users are being compromised every single day.”
Last but not least, heed the advice you’ve heard time and again: don’t blindly click anything that arrives in your inbox unexpectedly — even if it appears to come from a friend or colleague. Everyone I spoke to for this story said it’s better to contact the purported sender with a quick phone call or e-mail to ask about a suspicious link or attachment rather than click blindly and risk having your PC compromised.
| Have more info on this subject? Post your tip in the WS Columns forum.|
WS contributing editor Yardena Arar has written about technology for the New York Times, the Canadian Press, the Associated Press, and the Los Angeles Daily News. She was an editor of PC World magazine from 1996 to 2009.