Sign in with
Sign up | Sign in

Microsoft Confirms IE Fault in Google China Hack

By - Source: Tom's Hardware US | B 31 comments

Hackers exploited Internet Explorer security flaw in Google attack.

On Thursday, security firm McAfee said that Operation Aurora, the attack that hit Google and multiple companies early in the week, was the result of a new, "not publicly known" vulnerability found in Microsoft's web browser, Internet Explorer.

Microsoft quickly admitted the flaw in TechNet blog post. Mike Reavey, director of Microsoft's security response team, wrote, "Based on our investigations into these attacks, as well as the investigations of others, we recently became aware that a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies."

"Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity," Reavey continued. "We will continue to work with Google, industry leaders and the appropriate authorities to investigate this situation."

In response, Microsoft has published a security advisory that advises users to turn up the security settings in their Internet Explorer software until a further update can be issued.

"Our teams are currently working to develop an update and we will take appropriate actions to protect our customers," Reavey added. The post pointed out that Microsoft has no indication that the company's corporate network or mail properties were attacked as part of the recent attacks.

Discuss
Display all 31 comments.
This thread is closed for comments
Top Comments
  • 15 Hide
    doc70 , January 15, 2010 10:30 PM
    there is no browser out there that has zero security flaws. Admittedly, some have more than others, I don't use IE on any of my Windows machines, but that does not excuse the fact that China uses this to exercise it's censorship.
    Before blaming the homeowner for not having the latest and greatest locks on his doors I would still blame the burglar first for breaking in. If we start diverting the blame onto the wrong party then good luck when you become the victim.
    As I have said it before, any PC/OS and any browser is only as smart as it's user. If the user is evil, the PC becomes "evil" as well.
Other Comments
  • 5 Hide
    botabota , January 15, 2010 7:59 PM
    Thats why we have firefox
  • 5 Hide
    Hanin33 , January 15, 2010 8:00 PM
    anyone surprised?
  • 7 Hide
    4trees , January 15, 2010 8:03 PM
    Using Google Chrome :) 
  • 5 Hide
    buckinbottoms , January 15, 2010 8:04 PM
    Actually, it is still googles fault. The fix was available and has been available since IE7. Its called DEP. Google was either using IE6 which does not have the feature, or IE7 and did not enable DEP, or was using IE8 and manually turned the feature off since it is active by default.
  • 0 Hide
    gzhang , January 15, 2010 8:20 PM
    From MS security Advisory (provided above), it doesn't look like DEP can prevent this attack. Most likely the pointer can be used to alter the execution path, not a stack overflew bug.
  • -4 Hide
    sublifer , January 15, 2010 8:30 PM
    http://www.tomshardware.com/forum/20945-9-viewing-images

    Come on people! Vote for Change!
  • 3 Hide
    flyinfinni , January 15, 2010 8:30 PM
    Doesn't sound like it was a known problem with a fix already available to me or Microsoft would not have admitted any part of the blame.
  • 0 Hide
    war2k9 , January 15, 2010 10:03 PM
    As I remember some online saying ie8 is the safest web browser out there.
    can we still trust ms ie8?
  • -1 Hide
    CrashOverride90 , January 15, 2010 10:06 PM
    lol exactly the reason why i always use firefox with two top-notch security plugins (Adblock plus and noscript).
  • -3 Hide
    STravis , January 15, 2010 10:11 PM
    And this is why we don't trust MS software (no matter how much MS tries to convince us they care about security)..
  • 15 Hide
    doc70 , January 15, 2010 10:30 PM
    there is no browser out there that has zero security flaws. Admittedly, some have more than others, I don't use IE on any of my Windows machines, but that does not excuse the fact that China uses this to exercise it's censorship.
    Before blaming the homeowner for not having the latest and greatest locks on his doors I would still blame the burglar first for breaking in. If we start diverting the blame onto the wrong party then good luck when you become the victim.
    As I have said it before, any PC/OS and any browser is only as smart as it's user. If the user is evil, the PC becomes "evil" as well.
  • -4 Hide
    alextheblue , January 15, 2010 11:16 PM
    "a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies."

    But clearly, it is IE's fault exclusively.
  • -3 Hide
    ta152h , January 16, 2010 1:10 AM
    IE kind of sucks, on a general basis, so that's the main reason I use Opera. Plus, no one is going to develop these attacks for Opera, since the market share is so low. On top of that, it's a fine browser.

    I hate the IE user experience. It's typical Microsoft software - heavy handed, bloated, and buggy. I like Firefox, but, prefer Opera. I expect with Firefox getting so much market share, it might become a more attractive target.

    Is it too late to let the Japanese take over China, instead of preventing it? For the life of me, I don't know why we coddle this country that is intent on undermining us. As Winston Churchill said, appeasement is like feeding a crocodile hoping he'll eat you last. We need to start making them pay for their nonsense. Otherwise, why will they stop? It's like feeding a Tiger steak, and hoping it will become a vegetarian.
  • 6 Hide
    eddieroolz , January 16, 2010 2:44 AM
    IE is good for me, I'll continue to use it.
  • -3 Hide
    Anonymous , January 16, 2010 2:59 AM
    is too late to stop the japanese bombing pear harbor too. is too late to stop the american nuke japan too. is to late to know that japanese auto is better than your own. is too late that you need to borrow money from china and buying everything from china for everyday needs. is too late to know that you can;t produce your own stuff with cheap labor eventhru you are poor now. is too late to boycut the chinese product and goods cause is so cheap that you cant get it anywhere anycountry that can make it with this quality and cheap. is too late to build your own factory to made your own stuff that cheap and you will spent your money buying american product anymore. is too late to rebuild your economy now since your government try to print more money to save the market but mostly all the ceo out there willing to spent the government saving funds as Christmas bones. is too late to realize that you are been too lazy and is too late to understand that sometime too much freedom stops you moving forward. the only way to stop the chinese is not by judge how and what they can do. you should worries more about yourself too see what you can do to make yourself better. china is evil at least but they never war against any country after ww2. I guess good eastern world love war against mideast.
  • 3 Hide
    anamaniac , January 16, 2010 3:33 AM
    Dissapointing to have apparantly missed a major flaw, however, Microsoft admitted their mistake and they're workign to fix it, so I'm satisfied with the outcome.
  • -4 Hide
    Regulas , January 16, 2010 12:29 PM
    What do you expect when MS ties their browser to the OS at the kernel level. Windows is a Swiss Cheese OS. Now flame me MS fanboys on how perfect 7 is.
  • -5 Hide
    Regulas , January 16, 2010 12:31 PM
    subliferhttp://www.tomshardware.com/forum/ [...] ing-imagesCome on people! Vote for Change!

    Half the idiot voters in the USA are mind numb idiot lemmings and voted for change in our President from Kenya and look what it got us, Socialism.
  • 0 Hide
    back_by_demand , January 16, 2010 12:34 PM
    ta152hIE kind of sucks, on a general basis, so that's the main reason I use Opera. Plus, no one is going to develop these attacks for Opera, since the market share is so low.

    That is a pretty bad excuse for using it. You are trading less security for being harder to find? This does not bode well if anyone deliberately targets you.
  • 6 Hide
    back_by_demand , January 16, 2010 12:49 PM
    noshreiels@yahoocomchina is evil at least but they never war against any country after ww2.

    Oh no you didn't do that

    http://en.wikipedia.org/wiki/Sino-Indian_War
    http://en.wikipedia.org/wiki/Invasion_of_Tibet_(1950%E2%80%931951)
    http://en.wikipedia.org/wiki/Sino-Vietnamese_War
    http://en.wikipedia.org/wiki/People%27s_Liberation_Army_invasion_of_Xinjiang_(1949)
    http://en.wikipedia.org/wiki/1987_Sino-Indian_skirmish
    http://en.wikipedia.org/wiki/Chola_incident
    http://en.wikipedia.org/wiki/Sino-Soviet_border_conflict

    Know history much? Or just burying your head in the sand...


Display more comments