Code Used To Attack Google Now Public

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."

Thank god I run IE4!

[Peter+Steil]

Seems like running IE4 on windows 95 has paid off....finally! Now if only active desktop worked properly...

Re:This is shocking!

[eihab]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser

I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?

I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.

I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.

It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Video of the Exploit in Action

[danielkennedy74]

The following links to an example of using this vulnerability in Metasploit to compromise a user's PC, in essence what happened to users at Google and some 30 other companies via bad actors assumed to be Chinese Nationals: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Re:Example?

[eihab]

Can you give us some of those "good reasons"?

I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

The software they used modeled their business and also ran their books (accounting, employee hours, etc.).

They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.

Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.

I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).

It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.

And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.