Code used to attack Google made public

In a report from ITWorld, the code used late last year to attack Google in China has now been made public on the internet, and has already been used in at least one hacking tool since its release.

On Thursday the code was submitted for analysis on the Wepawet malware analysis web site, which made it available around the internet. Shortly after the codes release it was integrated into one hacking tool available online, and could be seen around the internet said Dave Marcus, director of security research and communications at McAfee.

The exploit, which uses a security flaw in Internet Explorer 6 is very easily reproducible on a machine running Windows XP, even if fully up to date. The malicious code could also be modified to work on more recent versions of Internet Explorer, Marcus went on to say. The code could be used to run unauthorized software on a compromised computer by fooling them into viewing a maliciously coded webpage.

The same exploit was allegedly used to attack Google and 33 other companies in December last year and gain access to internal data and systems. According to Symantec and Juniper Networks who performed an independant investigation, Yahoo was also attacked using the flaw.

On Thursday, Microsoft issued a security advisory on the IE flaw and may release an out of cycle patch to fix the problem. The next relase of security patches is not until February 9th, giving hackers up to three weeks to further use the exploit, although security researchers have said that it is very hard to perform the attack on Windows 7 or Vista machines due to the advanced memory protection.

The flaw is so easily exploited that Germany's federal IT security agency, the Federal Office for Information Security advised users to avoid Internet Explorer until the exploit is patched.

Report a problem with article
Previous Story

Mozilla removes Firefox 3.7 from development schedule

Next Story

Sarcasm punctuation mark hits the market

25 Comments

Commenting is disabled on this article.

For the people that still use Windows XP....fine, I get the fact that going to a new OS doesn't make sense either financially or practically but continuing to use IE6 is just ignorant, no offence. You are being told left and right how dangerously flawed IE6 is security-wise and if you continue to use it, not only are you putting yourself at great risk but you are setting a bad example. So, do yourself a favour and click the download button for IE8 and for the love of God open your eyes more and listen to advice.

I think Microsoft has to take some of the blame things like this, and not just the average end-user. At the end of the day I think Windows should be nagging the users like hell, and even auto-updating IE in some cases when issues like this exist. There is absolutely no reason whatsoever why the average user should still be using IE6.

There are some reasons why companies want to keep using it, with certain internal/specialised websites only working in IE6, but at least these companies have a dedicated IT team who will apply the critical patches.

"Microsoft issued ... an out of cycle patch ..."

Sounds like Microsoft is saying that they will make one of the functionality (a "bug") in all IE as an obsolete function; nullifying it. Sounds very serious. Microsoft seems to never really do this when they promise a patch. They've always left the flaw in the IE for several updates till it is perfectly secured. Let's see if things changed this time.

still1 said,
66% use xp so they should patch it asap.

What percent uses IE 6?

The exploit, which uses a security flaw in Internet Explorer 6.

Probably not enough. Simple fix, upgrade IE.

Intelman said,

What percent uses IE 6?
Probably not enough. Simple fix, upgrade IE.


I agree... but there are people who still uses IE6 who are adamant about moving to new IE.
We tech people move to latest very quickly but not everyone.

Leo said,
Some of you actually blame it on the user for not upgrading?

Yes. New versions contain security patches.

It would be like if users continued to Use Firefox 1.5 and Chrome 1.0. They have major security issues and philosophies that were fixed in newer versions.

http://support.microsoft.com/gp/lifepolicy

Edited by ObiWanToby, Jan 16 2010, 4:13pm :

Leo said,
Some of you actually blame it on the user for not upgrading?

Yes. Why not? That's like blaming an old aged tire for giving out and causing you to crash on the tire when it's your fault for not getting new ones.

If this was some big exploit in say, FF 2.0 or 3.0, I bet, sure as heck, all the FF fans would be on the users backs for not upgrading to the newest version all this time.

Intelman said,

Yes. New versions contain security patches.

It would be like if users continued to Use Firefox 1.5 and Chrome 1.0. They have major security issues and philosophies that were fixed in newer versions.

http://support.microsoft.com/gp/lifepolicy

My school's computers still have Firefox 1.0.5 it is laughable on the XP machines. Even on the iBooks it still uses Firefox 1.0.2 the latest. What's the big deal with upgrading Firefox to say the least. The IT guy thinks everything will break with one update yet the machines go off on their own because of automatic updates wtf?

This is what is annoying, Internet Explorer 6 and Windows XP. They are both years out of date, does anybody really expect Microsoft to patch their products forever?

People need to start updating, even if they do not want to pay for Windows updates they can at least go to another browser or released an update to the latest version.

Well unfortunately a lot of people still have older machines with XP because they don't have the money or won't invest in a newer computer. If you could upgrade to 7 and get the same performance and driver support for legacy devices that would be nice, but not practical. Oh well :(

I doubt the problem is the users' computers.
I would blame the IT teams of some companies. Yeah, it's hard to update to a newer browser, but you can always switch to Firefox!
Even though IT teams should be respected, I've seen way too many workplaces with IE6 and XP. A respectable IT team *cares* about the company's security.

stevember said,
This is what is annoying, Internet Explorer 6 and Windows XP. They are both years out of date, does anybody really expect Microsoft to patch their products forever?

People need to start updating, even if they do not want to pay for Windows updates they can at least go to another browser or released an update to the latest version.

You're right, and I agree. It's no surprise IE6 and XP are attacked, they're so old and MS has moved on. Is it shocking how IE8 and win7 can't get hit by this unless you turn specific security features off? I don't think so.

Sure people may not have enough to upgrade or buy a new PC, but XP was 2002, you can't save a bit every month and manage around $400 or so for a newer low end PC with Win7 and IE8 after all these years?

Edited by George P, Jan 16 2010, 12:19pm :

GP007 said,

You're right, and I agree. It's no surprise IE6 and XP are attacked, they're so old and MS has moved on. Is it shocking how IE8 and win7 can't get hit by this unless you turn specific security features off? I don't think so.

Sure people may not have enough to upgrade or buy a new PC, but XP was 2002, you can't save a bit every month and manage around $400 or so for a newer low end PC with Win7 and IE8 after all these years?

Not everyone bought their computer in 2002. Some people were buying new pc's with XP on it right up until the end of last year and maybe still now. If you have someone telling someone else that doesn't know anything about computers that XP is the best and the rest still aren't good enough. They're still going to buy it. I'd never tell anyone to buy XP. I tell people the truth, 7 is the best. The point is that you can't assume everyone bought their computer when the OS was released therefore having time to save up. Some people have other stuff to worry about than investing in a computer too. If it isn't broke, don't fix it. It's still working for them so they're sticking with what they got.

dogmai said,
If it isn't broke, don't fix it. It's still working for them so they're sticking with what they got.

Exactly. Only computer entusiasts would replace their current, working hardware and software.
Most users are not really interested at all in their computer setups, just on what they are doing with them, and as long as they are able to keep doing that you'll have a hard time convincing them to shell out any more cash.

dogmai said,

Not everyone bought their computer in 2002. Some people were buying new pc's with XP on it right up until the end of last year and maybe still now. If you have someone telling someone else that doesn't know anything about computers that XP is the best and the rest still aren't good enough. They're still going to buy it. I'd never tell anyone to buy XP. I tell people the truth, 7 is the best. The point is that you can't assume everyone bought their computer when the OS was released therefore having time to save up. Some people have other stuff to worry about than investing in a computer too. If it isn't broke, don't fix it. It's still working for them so they're sticking with what they got.

Even so, and if they're stuck with XP, they can at least upgrade to IE8. And chances are they have hardware DEP as well, and it should be on by default. In the end, the reason to still use outdated software like IE6 is losing any excuse it had. My point was that people should upgrade, MS asks them to upgrade and does as much as they can aside from forcing a new IE down AU to them. If you still don't upgrade because "it works so why bother" then you only have your self to blame if you get hit with a problem.

KSib said,
Well unfortunately a lot of people still have older machines with XP because they don't have the money or won't invest in a newer computer. If you could upgrade to 7 and get the same performance and driver support for legacy devices that would be nice, but not practical. Oh well :(

XP Mode.