IE security flaw exploited in recent Google attacks
By Joseph L. Flatley 
posted January 15th 2010 2:02PM
posted January 15th 2010 2:02PM
This next item's for any rogue states out there that might be planning a comprehensive wave of cyber-attacks: It looks like Microsoft has admitted that indeed it was a security flaw in Internet Explorer that hackers based in China exploited in the recent attacks on Google. As is often the case, the flaw is neatly summed up in the title of the advisory: "Vulnerability in Internet Explorer could allow remote code execution." According to news agency AFP, the incident (which targeted Chinese human rights activists) shows "a level of sophistication above that of typical, isolated cyber criminal efforts." (Which is, evidently, how we like to think of our own cyber criminal efforts.) Microsoft has yet to release a formal software update. In the meantime, if you think your machine could be at risk, hit the source link for all the details. Or just switch to Firefox.
Good job pointing out that it was one of several attack vectors used. Excellent, balanced reporting here.
@doubleyewdee
Great report, no mention of the fact it's limited to IE6 nor the fact that unless Google prefer IE to Chrome (it's self a bigger story IMO) it's not the type of attack Google had.
@doubleyewdee
And then the suggestion to switch to the now MUCH more insecure Firefox that doesn't even support the full standard HTML4 spec.
@doubleyewdee
I admit I don't use IE except for when I have to do something in windows that requires only IE but it really isn't anyone but the user's fault.
People bitched about IE6 and IE7 and Microsoft released IE8 on which this attack couldn't have happened from what I understand.
Isn't it on the user to update security?
Something was broken so the makers fixed it but instead of accepting the fix, you carried on bitching about what was broken. And you can't really say that they didn't have the opportunity to upgrade because if there's one thing we know, Windows just loves to update itself.
I also understand that there was no single form of attack but a multi-staged attack, one of which was an IE6 exploit. So not solely IE6's fault.
Also, one company being hacked and blaming another company that's also their direct competitor. Classy...
@doubleyewdee So in short, a IE flaw was exploited to gain access to Gmail server when the victims used IE to check their Gmail accounts.
@doubleyewdee I CAN'T GET THE UPDATE BECAUSE I DON'T USE IE6 I USE IE8...SHOULD I STILL SWITCH TO FIREFOX ENGADGET?
(Going to this site just pisses me off more and more, find myself at gizmodo much more often these days...I just hate the gawker interface even more then engadgets)
@Jimbob Lol it's engadget, what do you expect? They do everything they can to make Microsoft look bad, but when Apple slips they make 'em look harmless.
@SirNoDroin
Judging by my downranking from earlier, some of the readership here is just as bad. At least from the "Let's censor/hide facts that don't support our idealism" POV.
So which came first, the Editorial bias, or the reader bias?
@Rem DX
If you follow the details of MS's updates you'll see that on a regular basis flaws are fixed that only exist in newer version of their software, so there is no 1:1 relationship with updating and being more secure with MS.
And it makes sense, if you put in new code it will have new flaws not yet found, then once found they are exploited.
@Ordeith This is not the time to blame one company after another... Malwares had became more sophisticated for these past years. Seeing the extent of the damage inflicted by these attacks, it's possible that the attack came from an internal computer within Goog's end.
An attack like that is really hard/ close to not being detected when its done for the first time. More Google-China Conspiracies: http://bit.ly/google-china-censorship-details
Imagine what would happen if another propaganda like this has been promulgated against firefox? And it turns out that someone is just manipulating/orchestrating these events just to spin the head of people and have a revolt from one company after another...
I'm more shocked that IE still exist. Every version has exploit flaws.
IE having a security flaw? No way. Get out. That's impossible.
@Solidstate89 You drank too much M$ cool-aid kid.
kool*
@Solidstate89
Inconceivable!
@Solidstate89 I think what's more surprising is the fact that Google assets had IE on them to begin with...
@tommy2468
I think you don't understand the subtlety of sarcasm.
@jonnythan
I do not think th-
...
That joke's been done too many times, hasn't it?
@MarkAnderson
I think that by now it's perfectly acceptable to simply shout "inconceivable!" whenever you want to imply someone doesn't understand the word(s) he is saying.
@Solidstate89
As the ancient chinese proverb says: It's not a flaw it's a feature
@Solidstate89 *Scoffs* I'd never have thought! But IE has never betrayed us befo-... waaiiit a second...
Or Chrome!!
@SaintAndrew
I love Chrome! Sooooo much better than IE
@SaintAndrew +1!
lol google is now blame microsoft.
@techlord
yes they is now blame microsoft lol
@ChazClout
yea I'm is now blame techlord
MS should abandon IE and let it die.
I see a problem here..... There! There it is!
Internet Explorer.
Is there no end to the security issues in IE?
Guess the Apple commercial is right - "We've heard that before"
Not an Apple owner, but could be soon.
@edf As if IE governs who uses PC's. If you don't like IE (like most of the world), switch to something else...
@Volker
“most of the world”?
Remind me again of the current browser shares?
@dg988
http://marketshare.hitslink.com/report.aspx?qprid=3
looks like IE all versions is about 60%.
Microsoft Internet Explorer 6.0 20.99%
Microsoft Internet Explorer 8.0 20.86%
Firefox 3.5 16.32%
Microsoft Internet Explorer 7.0 15.53%
Firefox 3.0 6.91%
Chrome 3.0 3.75%
Safari 4.0 3.45%
Microsoft Internet Explorer 8.0 - Compatibility Mode 2.80%
Opera 10.x 1.58%
Firefox 2.0 0.89%
@edf
No, and there probably never will be so long as it has over 60% market share. Its exploit 101, target the largest group of people. If everyone made a mass migration to apple I guarantee you would see A LOT more exploits popping up for OSX. As apple's market share keeps rising, its just a matter of time before you see malware and exploits start cropping up.
@dg988
Current browser shares are this way because most people are dweebs with no idea of the patheticness of IE.
what versiosn of IE are affected? how about ieTab under firefox?
@htd: IETab uses whatever version of IE is already on your computer. It just displays the render in a tab in Firefox.
Why is google using IE? You'd think of all the companies, they'd be up there in having their employees using another browser(chrome). Especially since this kind of attack would need to take place on the computer of one of the engineers, rather than some HR lackey.
@MarcusMaximus
"Microsoft has admitted that its Internet Explorer was a weak link in the recent attacks on Google's systems that originated in China."
An IE exploit was used against Google's systems. Not Google getting hax0rd for using IE.
@ChazClout Right, but in order for it to have been exploited, google must have been running IE on those computers. I mean, I realize that IT departments often use IE/Windows XP, but especially among the engineers, individuals usually install chrome/firefox/whatever(I work as a Software Engineer for a relatively large company, so I have experience with this). I'd expect that to be even more the case somewhere like Google.
@MarcusMaximus
I know nothing about cyber attacks, but it sounds like IE was actually used as the weapon. Like if just by connecting to a Google site using IE you could use vulnerabilities to attack.
Kind of like using a specific game (Mechwarrior 2?) on the original Xbox to get XBMC on it.
I still don't know how that's possible unless they somehow got malicious code onto a Google server, or there was some vulnerability in their code that IE allowed the hackers to exploit.
Of course, keep in mind that not every single person that works for Google is a 'computer person'. I'm sure they have lots of people in sales, marketing, accounting, HR, etc. that only know enough about computers to get their jobs done.
@MarcusMaximus
Well, I know that for me, I never upgrade IE on computers I use since I don't *use* IE. I use chrome now, and before that it was firefox, so most of my computers that run XP probably still have IE6. I don't USE it, but that might actually still leave me vulnerable, I'm not sure. I just hate IE so much that I don't want to give MS any happy feelings by downloading the newest version.
But maybe that's dumb and I'm still vulnerable? I'm not even sure.
I do use IE Tab in chrome though, and that would use whatever IE I have, so i do occasionally use it.
Maybe that's what happened at google?
-Taylor
@F orrest
You dumbass....read more articles before posting. It was indeed machines at Google running IE that opened the door.
What a noob.
@F orrest Did you just call yourself a dumbass? Anyway, like I said, I know there are non-techs working at google, but at most companies, those people's computers don't have access to the actual production servers and such, so it seems unlikely it was through someone in the HR department. If they're at all smart about their security(and, well, they're google), this would have had to have happened on an engineer's or IT pro's computer.
@MarcusMaximus I'm curious too. Perhaps Microsoft means IE was exploited to hack Gmail accounts (from the activists' computers, not Google's)?
Or maybe the hackers did get lucky and find the one instance of IE running at the Googleplex. It seems possible that with as many machines as Google has, there's got to be at least a few somewhere that have IE.
Though the activist angle sounds more likely to me.
@MarcusMaximus
Google wasn't using IE, IE was used to hack into Google accounts. This is actually how the majority of attacks are carried out, you get a user on a computer using a browser with a security flaw and you hack into their account while they're logged into it. Someone did that with people's Gmail accounts.
There is a more detailed writeup on Dailytech.
http://www.dailytech.com/article.aspx?newsid=17415
I know Firefox is better than IE, but from a web developer, please please don’t switch to it. Try out Chrome or Safari!
Again, anything is better than IE, though.
@dg988
Amen to that. :)
@dg988
Firefox 3.6 and 3.7 are faster than chrome and just about as fast as safari.