France, Germany warn against Internet Explorer

**vector7** · January 19th, 2010, 16:36

France, Germany warn against Internet Explorer

8:10 AM Tuesday Jan 19, 2010
Photo / AP

France and Germany have warned web users against using all versions of Microsoft's Internet Explorer to protect security.

The German government first warned users on Friday after malicious code implicated in attacks on Google was published online, reports the BBC.

A security hole led to attacks against Google and other sites by hackers in China who gained access into the email accounts of human rights activists.

Although Microsoft admitted that its browser was the weak link in the recent attacks it rejected the warning as too strong saying that the security threat was low.

"These were not attacks against general users or consumers," said Thomas Baumgaertner, a Microsoft spokesman in Germany.

Mr Baumgaertner stressed that the attacks on Google were carried out by "highly motivated people with a very specific agenda".

Microsoft recommends users setting the browser's security zone to "high", although this does have the disadvantage of limiting functionality and blocking some websites.

Graham Cluley of antivirus security firm Sophos said that because details of the attack were now available online, hackers would soon be able to change the code to target other versions of the browser, says the BBC.

"The way to exploit this flaw has now appeared on the internet, so it is quite possible that everyone is now going to have a go," said Cluley.

However, Cluley points out that all web browsers have security issues so switching browsers may simply expose you to a different type of risk.

Microsoft has is trying and mitigate the damage by releasing an emergency patch, reports the Telegraph.

A Microsoft spokesperson says a timeframe for when the patch will be ready cannot be committed to.

- NZ HERALD STAFF
Copyright ©2010, APN Holdings NZ Limited

**vector7** · January 19th, 2010, 16:41

Calls to ditch Internet Explorer after China hacks

January 18, 2010

Internet users are being warned off Internet Explorer after it was revealed that recent sophisticated cyber attacks on Google and other businesses exploited a previously unknown flaw in Microsoft's web browser.

Germany's Federal Office for Information Security, or BSI, told Germans to avoid use of all versions of Explorer after the security hole led to hacks against Google and others.

Microsoft confirmed the weakness after Google announced that hackers in China had pried into email accounts of human rights activists. However, the company said that the hole could be closed by setting the browser's internet security zone to "high".

But the BSI insisted that such measures were not sufficient.
"Using Internet Explorer in 'secure mode', as well as turning off Active Scripting, makes attacks more difficult but can not fully prevent them," BSI said in a statement.

Google said last week that in mid-December, it detected an attack on its corporate infrastructure originating from China that resulted in the theft of its intellectual property. It eventually found that more than 20 other companies had been infiltrated.

Security firm McAfee said on Thursday that those who engineered the attacks tricked employees of the companies into clicking on a link to a website that secretly downloaded sophisticated malicious software onto their PCs through a campaign that the hackers apparently dubbed "Operation Aurora".

"We have never seen attacks of this sophistication in the commercial space. We have previously only seen them in the government space," said Dmitri Alperovitch, a vice-president of research with McAfee.

The programs allowed the hackers to take control of the PCs without the knowledge of their users, said McAfee, which has been researching the matter on behalf of several companies involved in the attacks since late last week.

Alperovitch declined to say which companies had hired McAfee, saying they had signed confidentiality agreements.

So far the only other victim to come forward is design software maker Adobe Systems, which has said that it is still investigating the matter.
Some researchers have speculated that the attackers may have exploited flaws in Adobe's Acrobat software and its widely used Reader program for opening PDF documents.

McAfee's researchers said that they found no evidence that was the
case.

Still, they said that the hackers might have used other types of malicious software to break into Google and the other companies.

Internet Explorer is vulnerable on all recent versions of the Windows operating system, including Windows 7, McAfee says. Microsoft said attacks had been limited to IE6, an older version of the application.

**vector7** · January 19th, 2010, 16:47

Google Hack Leaked to Internet; Security Experts Urge Vigilance

By Jeremy A. Kaplan
- FOXNews.com

The code that was used to hack Gmail accounts in China is now publicly available on the Internet, and security experts are urging computer users throughout the world to be highly vigilant until a patch can be developed.

AP Photo
Google's threat to leave China over censorship and e-mail hacking alarmed an Internet-connected public. Now the code behind that hack has become widely available and experts urge vigilance.

The code that was used to hack Gmail accounts in China is now publicly available on the Internet, and security experts are urging computer users throughout the world to be highly vigilant until a patch can be developed.

The hack involves Internet Explorer 6, the browser that came with the Windows XP operating system that, while outdated, still powers millions of businesses and home computers and is now dangerously compromised.

On Thursday, the code that was used to hack Gmail accounts in China and led Google to threaten to close shop there was posted to malware-analysis Web site Wepawet. By Friday, security site Metasploit had posted a demonstration of just how easily the exploit can be used to gain complete control over a computer.

Metasploit is intended to let security professionals test out security threats.

"Normally these frameworks are designed for the good guys for our assessment. The problem is, it's open source and available to anyone," said Michael Gregg, head of Superior Solutions Inc., a Houston-based cybersecurity consultancy.

"And the scary thing about Metasploit is, anybody can pull this stuff down and anybody can launch it. It's not the skilled hacker working for the government, it's the kid next door."

George Kurtz, CTO of the security firm McAfee, agrees. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," he wrote late week.

"This attack is especially deadly on older systems that are running XP and Internet Explorer 6."

Hacks based on this security flaw led Google to threaten to drop its www.google.cn Web site and leave China last week. The Internet behemoth believes these security intrusions are a quest not just for political knowledge but also for intellectual property. Experts warn that as many as 30 other companies have been hacked, ranging from software firms like Adobe and Juniper Networks to Northrop Grumman -- a major U.S. defense contractor and manufacturer of nuclear-powered aircraft carriers and the Global Hawk unmanned drone.

Microsoft has yet to patch the hole in IE 6, a flaw so serious it's prompted the German government to suggest citizens avoid IE. Microsoft has posted a security advisory detailing the problem, and urging users to upgrade to newer browsers.

Microsoft's next scheduled security update is Feb. 9 -- so unless the company expedites an "out of cycle" security patch, more than three weeks will elapse before this vulnerability is fixed. Without a patch in sight, security experts urge vigilance, and not just for government agencies and huge businesses like Google.

"This is something that affects businesses in the U.S. as well as individuals. The Internet knows no borders," Gregg warned.

Gregg said that years ago, software companies had months to solve a security flaw after it was uncovered. Today, it's hours. Protecting yourself and your business is substantially harder today than it was in years past, too, due both to the accelerated pace of these exploits and also to hackers' reliance on social engineering, where an individual is tricked into providing confidential information.

Gregg calls it spearphishing: "They target the user with an e-mail that would appeal to them, one that leads to a site that launches malicious code onto your system." And the IE 6 exploit makes it particularly easy to slip that code on your computer.

Staying on top of current security patches, using firewalls, updating Web browsers and running intrusion detection software is the first part of staying safe. But since most attacks rely upon spearphishing or some similar end-user exploit, Gregg suggests a training program that would warn users that if an e-mail link looks too good to be true, it probably is -- don't click on it.