Search
Sign in with
Sign up | Sign in
31 comments

Microsoft Confirms IE Fault in Google China Hack

By - Source: Tom's Hardware US

Hackers exploited Internet Explorer security flaw in Google attack.

On Thursday, security firm McAfee said that Operation Aurora, the attack that hit Google and multiple companies early in the week, was the result of a new, "not publicly known" vulnerability found in Microsoft's web browser, Internet Explorer.

Microsoft quickly admitted the flaw in TechNet blog post. Mike Reavey, director of Microsoft's security response team, wrote, "Based on our investigations into these attacks, as well as the investigations of others, we recently became aware that a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies."

"Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity," Reavey continued. "We will continue to work with Google, industry leaders and the appropriate authorities to investigate this situation."

In response, Microsoft has published a security advisory that advises users to turn up the security settings in their Internet Explorer software until a further update can be issued.

"Our teams are currently working to develop an update and we will take appropriate actions to protect our customers," Reavey added. The post pointed out that Microsoft has no indication that the company's corporate network or mail properties were attacked as part of the recent attacks.

You need to be logged to post a comment

There are 31 Comments. B
Top Comments
  • 15
    doc70 , January 16, 2010 6:30 AM
    there is no browser out there that has zero security flaws. Admittedly, some have more than others, I don't use IE on any of my Windows machines, but that does not excuse the fact that China uses this to exercise it's censorship.
    Before blaming the homeowner for not having the latest and greatest locks on his doors I would still blame the burglar first for breaking in. If we start diverting the blame onto the wrong party then good luck when you become the victim.
    As I have said it before, any PC/OS and any browser is only as smart as it's user. If the user is evil, the PC becomes "evil" as well.
Other Comments
  • 5
    botabota , January 16, 2010 3:59 AM
    Thats why we have firefox
  • 5
    Hanin33 , January 16, 2010 4:00 AM
    anyone surprised?
  • 7
    4trees , January 16, 2010 4:03 AM
    Using Google Chrome :) 
  • 5
    buckinbottoms , January 16, 2010 4:04 AM
    Actually, it is still googles fault. The fix was available and has been available since IE7. Its called DEP. Google was either using IE6 which does not have the feature, or IE7 and did not enable DEP, or was using IE8 and manually turned the feature off since it is active by default.
  • 0
    gzhang , January 16, 2010 4:20 AM
    From MS security Advisory (provided above), it doesn't look like DEP can prevent this attack. Most likely the pointer can be used to alter the execution path, not a stack overflew bug.
  • -4
    sublifer , January 16, 2010 4:30 AM
    http://www.tomshardware.com/forum/20945-9-viewing-images

    Come on people! Vote for Change!
  • 3
    flyinfinni , January 16, 2010 4:30 AM
    Doesn't sound like it was a known problem with a fix already available to me or Microsoft would not have admitted any part of the blame.
  • 0
    war2k9 , January 16, 2010 6:03 AM
    As I remember some online saying ie8 is the safest web browser out there.
    can we still trust ms ie8?
  • -1
    CrashOverride90 , January 16, 2010 6:06 AM
    lol exactly the reason why i always use firefox with two top-notch security plugins (Adblock plus and noscript).
  • -3
    STravis , January 16, 2010 6:11 AM
    And this is why we don't trust MS software (no matter how much MS tries to convince us they care about security)..
  • 15
    doc70 , January 16, 2010 6:30 AM
    there is no browser out there that has zero security flaws. Admittedly, some have more than others, I don't use IE on any of my Windows machines, but that does not excuse the fact that China uses this to exercise it's censorship.
    Before blaming the homeowner for not having the latest and greatest locks on his doors I would still blame the burglar first for breaking in. If we start diverting the blame onto the wrong party then good luck when you become the victim.
    As I have said it before, any PC/OS and any browser is only as smart as it's user. If the user is evil, the PC becomes "evil" as well.
  • -4
    alextheblue , January 16, 2010 7:16 AM
    "a vulnerability in Internet Explorer appears to be one of several attack mechanisms that were used in highly sophisticated and targeted attacks against several companies."

    But clearly, it is IE's fault exclusively.
  • -3
    ta152h , January 16, 2010 9:10 AM
    IE kind of sucks, on a general basis, so that's the main reason I use Opera. Plus, no one is going to develop these attacks for Opera, since the market share is so low. On top of that, it's a fine browser.

    I hate the IE user experience. It's typical Microsoft software - heavy handed, bloated, and buggy. I like Firefox, but, prefer Opera. I expect with Firefox getting so much market share, it might become a more attractive target.

    Is it too late to let the Japanese take over China, instead of preventing it? For the life of me, I don't know why we coddle this country that is intent on undermining us. As Winston Churchill said, appeasement is like feeding a crocodile hoping he'll eat you last. We need to start making them pay for their nonsense. Otherwise, why will they stop? It's like feeding a Tiger steak, and hoping it will become a vegetarian.
  • 6
    eddieroolz , January 16, 2010 10:44 AM
    IE is good for me, I'll continue to use it.
  • -3
    anonymous@guest , January 16, 2010 10:59 AM
    is too late to stop the japanese bombing pear harbor too. is too late to stop the american nuke japan too. is to late to know that japanese auto is better than your own. is too late that you need to borrow money from china and buying everything from china for everyday needs. is too late to know that you can;t produce your own stuff with cheap labor eventhru you are poor now. is too late to boycut the chinese product and goods cause is so cheap that you cant get it anywhere anycountry that can make it with this quality and cheap. is too late to build your own factory to made your own stuff that cheap and you will spent your money buying american product anymore. is too late to rebuild your economy now since your government try to print more money to save the market but mostly all the ceo out there willing to spent the government saving funds as Christmas bones. is too late to realize that you are been too lazy and is too late to understand that sometime too much freedom stops you moving forward. the only way to stop the chinese is not by judge how and what they can do. you should worries more about yourself too see what you can do to make yourself better. china is evil at least but they never war against any country after ww2. I guess good eastern world love war against mideast.
  • 3
    anamaniac , January 16, 2010 11:33 AM
    Dissapointing to have apparantly missed a major flaw, however, Microsoft admitted their mistake and they're workign to fix it, so I'm satisfied with the outcome.
  • -4
    Regulas , January 16, 2010 8:29 PM
    What do you expect when MS ties their browser to the OS at the kernel level. Windows is a Swiss Cheese OS. Now flame me MS fanboys on how perfect 7 is.
  • -5
    Regulas , January 16, 2010 8:31 PM
    subliferhttp://www.tomshardware.com/forum/ [...] ing-imagesCome on people! Vote for Change!

    Half the idiot voters in the USA are mind numb idiot lemmings and voted for change in our President from Kenya and look what it got us, Socialism.
  • 0
    back_by_demand , January 16, 2010 8:34 PM
    ta152hIE kind of sucks, on a general basis, so that's the main reason I use Opera. Plus, no one is going to develop these attacks for Opera, since the market share is so low.

    That is a pretty bad excuse for using it. You are trading less security for being harder to find? This does not bode well if anyone deliberately targets you.
  • 6
    back_by_demand , January 16, 2010 8:49 PM
    noshreiels@yahoocomchina is evil at least but they never war against any country after ww2.

    Oh no you didn't do that

    http://en.wikipedia.org/wiki/Sino-Indian_War
    http://en.wikipedia.org/wiki/Invasion_of_Tibet_(1950%E2%80%931951)
    http://en.wikipedia.org/wiki/Sino-Vietnamese_War
    http://en.wikipedia.org/wiki/People%27s_Liberation_Army_invasion_of_Xinjiang_(1949)
    http://en.wikipedia.org/wiki/1987_Sino-Indian_skirmish
    http://en.wikipedia.org/wiki/Chola_incident
    http://en.wikipedia.org/wiki/Sino-Soviet_border_conflict

    Know history much? Or just burying your head in the sand...


Display more comments
Related Content