The current strain being exploited only targets IE6 users, but one security company has developed an exploit for IE8 which also bypasses DEP (Data Execution Prevention).
It was rumoured this was the exploit used last week to compromise Google and various other high profile networks. Although I am skeptical as to why anyone was using IE inside Google? Perhaps doing cross browser testing for development, who knows.
Microsoft will release an out-of-band patch Jan. 21 to fix the Internet Explorer vulnerability at the center of recent attacks on Google and other enterprises.
According to Microsoft, the patch is slated to be ready around 1 p.m. EST. If all goes according to plan, the patch will close a hole that has prompted France and Germany to advise users to avoid IE and the U.S. State Department to demand answers from China. Attackers have used the vulnerability to hit IE 6. Microsoft so far has said it has only seen limited, targeted attacks using the vulnerability.
Meanwhile, security researchers have continued to uncover information about the origin of the attack. Joe Stewart, director of malware research for SecureWorks’ Counter Threat Unit, said his analysis of the code for the main Trojan involved in the attacks shows a more direct link to China.
It’s very rare for them to push an out-of-band patch for anything but I guess there are still a LOT of IE users out there and this is a serious flaw.
It does seem to originate from China with the only discussions about the technical parts of the flaw and implementation being discussed on Chinese language sites.
As can be seen by a Google search here (“crc_ta”), after the first few English news sites reporting the flaw the rest of the results are in Chinese.
According to Stewart, the code includes a CRC (cyclic redundancy check) algorithm implementation released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers.
“This CRC -16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, ‘crc_ta,'” Stewart noted in a SecureWorks blog post Jan. 20. “At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese.”
Up until this finding, Stewart told eWEEK, the factors leading people to point to China were patterns similar to previous Chinese malware.
“Unfortunately, when investigating malware, nothing is conclusive because digital evidence can be forged,” he said. “However, I believe the use of the Chinese algorithm certainly gives more credence to the attack code being Chinese in origin.”
They really have no choice but to release this patch when faced with government pressure, you should see it hitting your Windows Update sometime today (Jan 21st).
Let’s hope this patch has been tested properly and doesn’t subject users to another black screen of death.
It’s good to see some proactive initiatives by Microsoft, I hope they continue through 2010.