There seems to be a lot of chatter regarding what McAfee is calling “Operation Aurora”. This refers to attacks against a number of companies including Google, apparently in China or doing business in China, involving a previously undisclosed vulnerability in versions of Internet Explorer after 5.01 and before 8.

The original attacks are reported to be “targeted”, allegedly appearing in employee inboxes looking to have come from a fellow employee. These emails include a link which contains a web page that exploits the browser. McAfee states in their blog that initial exploitation results in the downloading of several pieces of malware that open a covert channel to command-and-control servers (now offline).

Our take is that this is just another browser vulnerability. According to public sources, there were 34 last year. Anti-virus companies have signatures available, and Microsoft is working on a patch. Been there, done that, got a T-shirt.

A close read of the statements made by Google about this exploit leaves one wondering just what did happen. Google say that exploit led to the loss of some of their Intellectual Property (IP), and that during the investigation they discovered other companies had been compromised as well. This would be true of practically any successful exploit. We have had experience in the past with criminals who have discovered a vulnerability and then attempted to exploit it against any victim they can find. Once they do find a victim, more effort is then expended in order to bilk that victim out of anything the criminals might find valuable. We referred to these victims in our 2008 Data Breach Study as “low hanging fruit”. Might this attack be just another example of these criminal activities?

At the end of the day all we can see is a previously undisclosed exploit that was used against businesses to obtain information that might be profitable to the criminals. This is a logical first use of a new exploit, one that follows the trend of criminals making a profit (rather than a statement).

While another unpatched Internet Explorer vulnerability is a risk companies must contend with, there is nothing here that makes this any different than any other in the past.

As we have long recommended, good security architectures use “defense in depth.”

• User awareness
• E-mail configuration
  
  • Why would an internal user send from an external SMTP server?
  • Should your external-facing MTA accept FROM’s with internal addresses?
  • Sender Policy Framework and Domain Keys help identify phishing mail
• Malcode Defenses at the gateway and the desktop
  
  • Content security solutions at the gateway
  • Desktop AV
  • Desktop browser defenses, SiteAdvisor, Linkscanner, Safe Surfing etc.
    
• Browser
  
  • IE 6 was first released on 2001-08-27
  • What other program in the enterprise is eight years old and is used to interact with random, untrusted Internet locations and used as often as a browser? It is time we purged our organizations of IE 6.  It’s is inevitable. “There’s no time like the present.”
    
• Client-side attachment handling up-to-date (PDF Reader, Office etc.)
• DEP
• ASLR (Vista and above) (not available for Firefox or Chrome)
• HIPS
  
• DNS Blacklists
• DLP

If only 5 of these are used and each one individually is only 80% effective, the resulting risk reduction is 99.97%.

This entry was posted on Thursday, January 21st, 2010 at 9:01 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.