After the mid-December attacks on Google and at least twenty more companies, including Adobe, experts have been busy trying to find the attack vector used by the hackers. Security firm McAfee announced yesterday that it had found out the attacks had been perpetrated using a zero-day vulnerability in Microsoft Internet Explorer. The software giant quickly realeased a security advisory detailing the previously unknown vulnerability and ways to prevent being infected through it.
Google and McAfee, among others, have presented these attacks as being "highly sophisticated and targeted". McAfee's CTO George Kurtz maintains in his blog post that such attacks have been seen in the past targeting government infrastructures, but insists on the fact that this time was the first where the commercial sector was targeted by those “advanced persistent threats” (APT). Those are "designed to infect, conceal access, siphon data or, even worse, modify data without detection." It could be the first of many.
McAfee named this threat "Aurora", after the name found in the filepath of one of the source codes used in the attack. They maintain that Aurora "is changing the cyberthreat landscape", as it looks like hackers are not using their most sophisticated attacks only to disturb government activity or gain monetary profit like they were doing in the past. They are now after something maybe even more valuable: intellectual property.
Initial reports maintained that the hackers had used rigged PDF files for their attacks, but McAfee has found nothing relating them to Adobe's products. Instead, Microsoft's advisory says the culprit is an invalid pointer reference in Internet Explorer. Targets have to be lured into downloading a malware by clicking on a specially crafted link in an email or downloading an email attachment that seems legitimate, for instance. Once it is installed, the remote attacker can control the victim's computer as he wishes, having all of his or her user rights across the network.
While the vulnerability in question is present in Internet Explorer 6, 7 and 8, McAfee said that the hackers' exploit code was only used in conjunction with IE6. Nonetheless, Microsoft's security advisory confirms that all three versions are at risk and recommends enabling Data Execution Protection (DEP) on IE6 and 7. It is activated by default on the latest version of the browser. Also, setting Internet and local intranet security zone settings to "high", which will show a prompt before running ActiveX and Active Scripting, is a good protection. Additionally, Internet Explorer on Windows Server 2003 and 2008 is set to a "high" security level by default.
|
