Code Used To Attack Google Now Public

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."

This is shocking!

[eihab]

The attack is very reliable on Internet Explorer 6 running on Windows XP ...
That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems

Google has employees running XP/IE6???

The only way I run IE6 nowadays is in a VM and basically just to test websites we're developing on local/trusted hosts. I wouldn't dare accessing anything with IE6 (especially with reputable sites being hacked and all).

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

This is a shocker!

Re:This is shocking!

[Anonymous Coward]

> Google has employees running XP/IE6???
Where is this stated? Read carefully: "and it could possibly be modified to work on more recent versions of the browser, Marcus said."

Re:This is shocking!

[bfree]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Re:This is shocking!

[eihab]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser

I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?

I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.

I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.

It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Re:Internet Explorer 6 is older than the Euro

[Darkness404]

The difference is benefits vs drawbacks. With the Euro, the county (especially the smaller countries) got a lot more buying power and therefore more wealthy for minimal risk. With switching from IE 6 the company will -lose- money, especially in the short term to change from IE 6 and get little in the long term. Why fix what isn't broken (in the eyes of management). All the management sees is that it would cost $10K to go from IE 6 to IE 7 for a savings of $0.

Re:A Question

[tagno25]

It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

unless there is no cable connection them to any device that has access to the outside world, USB ports and CD/DVD drives are disabled, you use security on the cables, and you do not run Windows.
If you connect ANYTHING that is not approved then you can be fired and then sued if anything happened because of it.

Re:IE6

[RobertM1968]

While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.

Really? What do you base that on?

- First, there have already been a ton of exploits for IE7 and IE8 - and even some patches.

- Second, Microsoft never seemed to say that IE7 or IE8 were not vulnerable. They very carefully said this instead:
"At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

That states there are other affected versions... but Microsoft hasn't seen attacks against them. I could care less what Microsoft has seen... they also "saw" XP and IE6 as secure (pre Service Pack 1).

It also means the other affected browsers are... IE4? IE5? IE7? IE8? I wonder which ones of those are the ones they are talking about? I could almost bet you that it's not a pre-IE6 browser that they are talking about.

Re:This is shocking!

[tixxit]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Perhaps some sites can get away with dropping IE6 support, but, at least for my employer's main public site, IE6 accounts for 20% of our users. Should they use a better browser? Yeah. Can we get away with kicking sand in the face of 1 in 5 of our users? Hell no.

Re:Example?

[eihab]

Can you give us some of those "good reasons"?

I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

The software they used modeled their business and also ran their books (accounting, employee hours, etc.).

They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.

Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.

I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).

It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.

And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.

It doesn't matter which browser.

[MadMaverick9]

It doesn't matter which browser you're using ...

If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

Until users change their behavior and start using least-privilege accounts while surfing the web, it's wrong to blame the browser.

Microsoft even says it in their security advisory kb 979352: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

And this applies to any OS: Linux, Windows, Mac OS, etc.

Rootkit - contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior admin access to execute and tamper with system files and processes.

Re:Google just wanted to pick a fight with China

[Vicegrip]

Google had some of its IP stolen too. It's hard to do business in a country where the government has no qualms about stealing your stuff and hurting your customers.

Re:This is shocking!

[QuantumG]

Gah. Why does this stupidity keep getting repeated?

IE6 comes installed with Windows XP.. you can't uninstall it. For people who *never* use IE, that's the version we're going to have installed.

The problem here is that Acrobat Reader was embedding IE to display some user controllable elements. So the attack is:

1. Send the target a PDF.
2. They open it in Acrobat Reader.
3. Acrobat Reader loads up IE to display some elements of the PDF.
4. The embedded code triggers and exploit in IE.
5. Arbitrary code execution follows.

And yes, it is a totally lame attack but it works because:

* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.

End of story.

Re:This is shocking!

[Will.Woodhull]

Twenty percent of PP's users are still with MSIEv6. Looking at this in the context of the 80/20 rule of business brings these questions to mind:

1. In general, 80% of customer-related costs are generated by 20% of the customers. How many of the these MSIEv6 users fall within this 20% group?
2. In general, 20% of customers account for 80% of sales revenue. How many of this top quintile of customers are using MSIEv6?
3. As a rule, it is worthwhile to identify the much smaller number of customers who are in the intersection of these two groups and treat them as special cases, red carpet treatment, whether they use MSIEv6 or not. Could this be done in PP's situation?

For many businesses this analysis is going to show that the bottom line could be improved by dropping support for MSIEv6. Pruning customers whose support costs more than the revenues they provide is good business sense (selling at a net loss never makes good sense). There are of course niche markets where this isn't true, such as direct sales of adult incontinence supplies. But even those niches are shrinking.