The Last Watchdog

The blowback from Google’s threat to leave China because of cyberattacks and censorships continues to escalate.

Microsoft has just announced that it will issue an emergency patch — something it rarely does – to staunch the Internet Explorer security hole implicated in recent data-stealing cyberattacks against Google, Adobe, Jupiter and dozens of other companies.

Despite mounting evidence, the software giant continues to downplay the extent to which this latest in a long, long line of IE zero-day vulnerabilities is being used in the wild well before a patch is available.

In this blog post, George Stathakopoulos, Microsoft’s general manager trustworthy computing security, claims Microsoft has seen only “very limited, and in some cases, targeted attacks” linked to this IE zero-day flaw. “To date, the only successful attacks that we are aware of have been against Internet Explorer 6,” he says.

And yet Microsoft is, at the same time, signaling high urgency. It will not wait until it’s next Patch Tuesday — Feb. 9 — the next scheduled date for issuing security updates. And it is going public about the patch even before it has ascertained how long it will take to finish designing – and testing. Stathakopoulos indicates that Microsoft won’t know until tomorrow, 20Jan2010, at the earliest,  just how long it will take to finish up design and testing of the patch. It is planning to issue a press release sometime on Wednesday revealing when the patch will be ready.

“Quality assurance testing for (an update to) something as complicated as Internet Explorer is a gargantuan task,” says Chet Wisniewski, security analyst at Sophos. “They need to make sure the patch doesn’t break anything in Windows before they can release it.”

This is all part of the fast-evolving fall-out of Google grabbing a high-level of public attention about an otherwise routine cyber espionage assault. By threatening to pull out of China, Google has, for the moment, elevated the security discussion to a level that the problem warrants.

The has thickened like a hyper-ventilated episode of Law & Order.

At 6 p.m., last Tuesday, 11Jan2010, Google sends a press release out timed to miss the TV network news cycle. The search giant says it “may well”  leave China because of cyberattacks and censorship.

On Thursday, 14Jan2010, McAfee discloses that Google and some 30 other companies were targeted by a spear phishing campaign, dubbed Operation Aurora. The attackers tricked specific employees to click on a bad link, accessing a heretofore unknown security hole in IE6, an older version of Microsoft’s popular Web browser,  to take over control of the PC.

Co-incidentally, also on Thursday, 14Jan2010, President Obama convenes tech execs from around the globe to hear him deliver a speech on modernizing the Internet. Among them: Microsoft CEO Steve Ballmer, wearing a patriotic red-white-and-blue tie.

After Obama’s speech, CNBC reporter Maria Bartiromo appears to catch Microsoft Ballmer a bit off guard  in a live interview. In the midst of a string of predictable questions Bartimoro asks Ballmer about IE’s complicity in the Google cyber attacks, as disclosed by McAfee just a few hours earlier. Ballmer answers:

Cyber attacks and occasional vulnerabilities are a way of life. If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet.

The very next day, Friday, 15Jan2009, Metasploit researcher HD Moore reveals how the new, unpatched IE  security flaw could be exploited on IE7 and IE8, the latest versions of Microsoft’s popular Web browser.

“Microsoft is afraid that if it only took researchers a day or two to figure this out, it will take the bad guys a couple more days to do the same thing,”  says Wisniewski.

The concern was shared by government leaders. On Friday, 15Jan2010, the German government issued a warning advising its citizens to find an alternative to Internet Explorer, and by Monday, 18Jan2010, the French and Australian government followed suit.

Then today, 19Jan2010, within an hour of Microsoft’s announcing the patch, Falguni Falguni Bhuta, communications manager, for Olso, Norway-based Opera Software contacted LastWatchdog to announce that downloads of its rival Opera Web browser has doubled in Germany and risen 35 percent in Australia.

Just wanted to point out some of these numbers to you, thought it
would be interesting fodder for a story on IE security issues. Also
here is a statement from Jan Standal, Opera’s VP Product, Desktop.

“Security issues continue to plague Internet Explorer users, and the
latest recommendations from the German and French governments against
using the browser are in line with what the security experts have been
saying for years,” says Jan Standal, Opera’s vice president of desktop products.

Related Posts:

• Smartphone Web apps turning malicious
• Storm e-mail worm evolves as it wreaks havoc on Net
• ‘Fuzzing’ triggers spike in targeted attacks
• First all-Office Patch Tuesday
• SMB2 zero-day flaw could expose Vista PCs to Conficker-like worm attack

1. 

   Well said, Byron. From what is known about the attack so far, it seems that the link the users clicked took them to an SSL encrypted web site. By doing this, the hackers have been able to establish an encrypted tunnel right through the security infrastructure of their targets. Users have been told for years that SSL connections are “safe”, which of course only means that 3rd parties (that includes security scanners) can’t read it. Nobody should assume that the content is trustworthy because a site uses SSL. There is a very high likelihood that the attack would have been stopped cold, had those companies an SSL scanning and certificate validation solution in place. Full disclosure: I’m the President of Microdasys Inc. ( http://www.microdasys.com ) that is offering SCIP, a SSL Content Proxy, that enables content security scanners to examine SSL encrypted web traffic and provides SSL certificate validation.

   Comment by Karl Altmann — 1/22/2010 @ 7:00 pm

RSS feed for comments on this post.

Leave a comment