Code Used To Attack Google Now Public

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."

This is shocking!

[eihab]

The attack is very reliable on Internet Explorer 6 running on Windows XP ...
That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems

Google has employees running XP/IE6???

The only way I run IE6 nowadays is in a VM and basically just to test websites we're developing on local/trusted hosts. I wouldn't dare accessing anything with IE6 (especially with reputable sites being hacked and all).

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

This is a shocker!

Re:This is shocking!

> Google has employees running XP/IE6???
Where is this stated? Read carefully: "and it could possibly be modified to work on more recent versions of the browser, Marcus said."

Re:This is shocking!

[eihab]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser

I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?

I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.

I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.

It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Re:This is shocking!

[tixxit]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Perhaps some sites can get away with dropping IE6 support, but, at least for my employer's main public site, IE6 accounts for 20% of our users. Should they use a better browser? Yeah. Can we get away with kicking sand in the face of 1 in 5 of our users? Hell no.

Thank god I run IE4!

[Peter+Steil]

Seems like running IE4 on windows 95 has paid off....finally! Now if only active desktop worked properly...

"Aurora" IE Exploit Used Against Google in Action

[Proudrooster]

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Yawn, another unpatched MS browser exploit.

I hear there are several more for sale...

Video of the Exploit in Action

[danielkennedy74]

The following links to an example of using this vulnerability in Metasploit to compromise a user's PC, in essence what happened to users at Google and some 30 other companies via bad actors assumed to be Chinese Nationals: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Re:Example?

[eihab]

Can you give us some of those "good reasons"?

I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

The software they used modeled their business and also ran their books (accounting, employee hours, etc.).

They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.

Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.

I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).

It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.

And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.