On January 22nd, 2010 Microsoft released an out-of-band patch (MS10-002, KB 978207) for a very dangerous security hole in Internet Explorer, and my advice to everyone is to install it today. Go to Windows Update, it’s there waiting – http://windowsupdate.microsoft.com
And here’s why… You may have heard back on January 12th, Google reported that someone had launched a large-scale attack on their and other people’s servers in an attempt to gather information about Chinese dissidents. Rumor has it that the Chinese government was behind this attack.
Google’s specific example was that the attacker tried to access the dissidents’ Gmail accounts, but the buzz on the Web has been that whoever launched the attack was pretty successful at gathering a boatload of intellectual property. But how did the hackers do it? The answer was revealed a couple of days later in a blog post by McAfee’s CTO George Kurtz: it was another zero-day IE exploit.
Apparently the problem involves an invalid pointer in Explorer. What that means in English is that this bug, similar to the “buffer overflow” bugs we saw in Code Red and SQL Slammer, allows a hacker to reach into your computer and instruct Internet Explorer to do, well, pretty much anything: shut it down, delete files, upload some data from your computer to the hacker, and so forth.
Here’s a simple example of how this exploit could work. The hacker creates a fake Web page with useful information on it like, say, a complete listing of all the charitable organizations providing relief to people in Haiti. The web page has text explaining who to contact as well as pictures and videos to keep your attention… and a hidden browser-side script. Unless you’ve got your Internet Explorer security set at “Trust no one at all” — then the script is silently downloaded and executed. (I am over simplifying, but this is basically what happens – hackers have found that social engineering around current events works very well.) The script then uses this invalid pointer to hand Internet Explorer a bunch of code written by the hacker, and tells IE to execute that code.
Now, in the case of my example, the code could delete files, slow down your system, email personal files from your hard drive, you name it. The only restrictions on the code would be that it runs “as you”, and so it can’t do anything that you do not have permissions to do. Unfortunately, most of us log on to our computers as the local administrator so we have full access to everything meaning we are at the hacker’s mercy. Even the most limited-power user is allowed to start and stop programs, look in most folders, or access any credit card information the user keeps on their computer.
The good news is that there’s a patch, which is the reason for this article. The bad news is that the hackers have known about this for a while so, at this point, there are many, many sites all around the world that have been infected and that have nothing to do with the original Google attack. Visiting infected sites with an un-patched copy of Explorer would do… well, I have no idea what it’ll do, and that’s the point.
If you are using Internet Explorer to view Web pages and your version is not yet patched, then you could be letting yourself in for anything, and that’s not just a hypothetical case because, again, the exploit code is already planted on the Web. A hacker with half a brain can get it running, and lots of half-brained hackers want your credit card number and personal information. What’s the probability that one of your family members or employees will visit one of those sites? I would not want to take a chance and find out.
Finally, you’ll probably read somewhere that this only affects IE6, not IE7 or IE8. That’s not entirely true, as researchers have reported that while IE7 and IE8 still have the invalid pointer bug, the result of viewing infected Web pages is more often an IE lockup or nothing at all… but on some systems, exploit code has been made to work on IE7 and IE8. Nuff said – download the patch today!
Here’s the link again:
http://windowsupdate.microsoft.com/
For tons more information on this, check out the following links
Google Blog
http://googleblog.blogspot.com/2010/01/new-approach-to-china.html
New York Times: Google, Citing Attack, Threatens to Exit China
http://www.nytimes.com/2010/01/13/world/asia/13beijing.html
Time Magazine: Chinese Government Attacks Google Over Internet Porn
http://www.time.com/time/world/article/0,8599,1906133,00.html
VeriSign Confirms Chinese government Behind Google Attack
http://www.blackberrycool.com/2010/01/14/verisign-confirms-chinese-government-behind-google-attack/