IE security flaw exploited in recent Google attacks
By Joseph L. Flatley 
posted January 15th 2010 2:02PM
posted January 15th 2010 2:02PM
This next item's for any rogue states out there that might be planning a comprehensive wave of cyber-attacks: It looks like Microsoft has admitted that indeed it was a security flaw in Internet Explorer that hackers based in China exploited in the recent attacks on Google. As is often the case, the flaw is neatly summed up in the title of the advisory: "Vulnerability in Internet Explorer could allow remote code execution." According to news agency AFP, the incident (which targeted Chinese human rights activists) shows "a level of sophistication above that of typical, isolated cyber criminal efforts." (Which is, evidently, how we like to think of our own cyber criminal efforts.) Microsoft has yet to release a formal software update. In the meantime, if you think your machine could be at risk, hit the source link for all the details. Or just switch to Firefox.
@dg988 Of course, if you're a proper web developer, test your site in every browser you can get your hands on. I prefer Firefox with Firebug for developing, but I make sure to test IE6, 7 and 8; Chrome, FF PC and Mac, and Safari PC and Mac. They're all quirky in one way or another.
@dg988
Had chrome for about half a year when I wasn't really developing anything. But the diverse amount of extensions in Firefox makes it so much easier to develop in. It also allows more customization and comfort while browsing. Let's wait for Chrome's extension catalog to catch up.
also, it goes without saying that I test in all popular browsers just like Dale P
Funny how Google's camp keeps saying it was targeted at human right activists..yet they provide no evidence for this. Methinks there's a lot more to this story.
@psycros
Maybe because they don't want to reveal their names? VeriSign's iDefense has reported the Chinese government has been involved in more then 30 companies through command-and-control attacks. Through various exploits and "high sophisticated attacks" (encryption over encryption and shells)
http://arstechnica.com/tech-policy/news/2010/01/furious-google-throws-down-gauntlet-to-china-over-censorship.ars
@Ryujin
More Info about the attack.
http://www.wired.com/threatlevel/2010/01/operation-aurora
"As Internet Explorer 8's Data Execution Prevention (DEP) is enabled by default, and would have to be turned off for the flaw to work, it seems likely that Google uses IE 6 or IE 7. This is actually quite typical -- IE 8 adoption in the business world has been a slow process -- many businesses still use IE 6, even. The DEP protections are optional in IE 7."
Shouldn't Google's genius IT people have know this already?????
@Jay Evans
It was IE 6 that was used to attack Google. So people need to upgrade really.
@kris120890 A lot of the time, people can't upgrade. A lot of developers - some lazy, some for valid reasons - code very specifically for a specific browser. There are many sites, applications and services that don't work well in FF and Chrome. Google, by virtue of creating Chrome, may not be exempt from this.
@Dale P The modern way to do that is to use a VM. Microsoft even makes VM images available with IE6 already in it... although I haven't used them in a year so I don't know if the freely published ones are still being updated. Either way, keeping IE6 on a machine for development work, and keeping IE6 on a machine that you actually use for surfing the web etc are two completely different things.
security flaws will be w/us.....too many people open themselves to vulnerabilities for too many reasons
It's shocking how many people are still on the archaic IE6.
@Cydoniac Yeah. As far as I remember though Windows Update is persistent about upgrading you to the latest version so it could well be people have no choice (may not be aware of other browsers or upgrading etc) so have to use that as they may have a pirated copy of Windows.
@richb93
IE8 was initially blocked on pirated windows, but MS saw differently after a while and then changed it so it's OK to run it on pirated, problem is that people might not trust them anymore.
I'd expect people that use pirated to be in the know enough to all have switched to opera/firefox/chrome anyway.
And incidentally, since the chinese used those flaws to get at those human rights activists I guess human rights activists are pirates then? Makes sense to me, they don't want to support the big corporations or MS who censors bing before even being asked.
its companies and people's fault for not upgrading from ie6.
some say companies can't because of costs....
well if you are a freighter company, and have a line of trucks with a known problem in the engines that cause them to explode and damage merchandise and drivers (the real world equivalent to what can happen while using IE6), you know what you do, fix the trucks, regardless of cost.
There is no logical reason to keep IE6 other then company laziness, lack of foresight, or just plain technological ignorance. Regardless at this point using IE6 is a USER ERROR problem, not Microsoft's.
@SirNoDroin
New code = new instabilities and new flaws (and new spyware)
Old code = patched a lot so it should be OK after several years of patching:
Flaw of logic = MS is fail both ways so you can't trust they patched ancient flaws..
What's even more amazing is the amount of work the Chinese government's spammers are putting in. They've practically swamped over the talkbacks for every major news, news blog and tech site, and this time around they aren't even pretending to be Americans.
@Dinochicken
Reminds me of those US government spammers who advertise macs and iphones on every site.
@Wwhat
You didn't understand what I was referring to, yet felt compelled to post a response. How unusual for you.
@Dinochicken
Yeah it's my fault if you can't express yourself with a minimum of clarity and go around assuming we have all the same 'logic' and 'clarity of vision' you have I guess.
But thanks for clarifying things in your response.
Here's a newsflash though, there is an ongoing propaganda war (http://en.wikipedia.org/wiki/Propoganda) against china, directed by your friendly people at the government and powered by your accommodating media, and the people who eat it all up of course.
I hope Joseph wasn't suggesting that China is a rogue state! They're the super power that owns a big chunk of our public debt. :-p
You know, there was a communist revolution in china way back and the government of china fled to taiwan.
So if the US simply recognizes taiwan as the real government of china and declares china a rogue state you immediately don't have to pay them back anymore and are out of the debt.
I guess that's what all the war talk is about, it's preparing for that trick?
Are most people aware that the attackers were traced back to Taiwan, not mainland China? Or are they too involved in the sinophobic frenzy the media whipped up to notice?
@meepmeep
Media is only following the memo the powermongers sent out.
And the population is only parroting what the media pushes out.
You guys are missing the point: all American based software companies must rebuild their platform in China. That includes Google recreating itself in China and IE recreating itself there too. It's a political attack. Yes IE has flaws, but undoubtedly this attack stems from other motivations.
(My company had to reconfigure its ENTIRE IT network when we opened business there.)
I do wish you the best of luck there in China. I do....Godspeed
no matter what always use Firefox :)
@heng : Or use IE8 which wouldn't have had this issue in the first place...
Seriously, why don't Microsoft just invest money into FF or Opera and make that default on Windows? I can't see how they are making profit from IE other than default search engine (Which can be changed in FF/opera).
@AllisterA
Prestige thing?
@AllisterA: Why? Competition is a good thing, and if Microsoft continues to make better versions of IE, there should be nothing wrong with Microsoft trying to offer this as an option.
IE8 is solid for the most part, and doesn't share the same amount of risk or vulnerability such as this attack that Engadget posted on.
So people are still using IE?
@anon972 : I do. IE8 is pretty great if you ask me.
When the hell will the new SkyNet browser be released? That T-800 hand in the glass case must be around here somewhere.
hehe, i think this news really mislead internet users, actually if u r really understand how hacking & software works, nomatter what ever explorer u r using, hack is able to break u down if u do not use it well ( for example, open unknow URL link, emails etc.)
it's funny somebody said: my explorer is saver than urs, for instance, urs will be broken through if u do it like XXX. but hacker is not stupid, they are easily to find another way to get u down.( cz urs is vularable as well)
@kris
i agree with you.. firefox is faster then another browser
http://handphone.tk