red aurora Microsoft has acknowledged a so-called zero-day vulnerability in Microsoft Internet Explorer was used in attacks on Google and 20 or more other companies doing business doing business in China. Microsoft’s notification about the flaw coincided with a public statement from computer security firm McAfee, describing the bug and how it was used to target Google and other corporate networks.
The flaw impacts all officially supported combinations of Microsoft’s Internet Explorer browser and Windows operating system, with the sole exception of using very-old Internet Explorer 5.01 on Windows 2000 Service Pack 4. That means that essentially anyone using Internet Explorer 6, 7, or 8 on Windows 2000 SP4, Windows XP, Windows Vista, Windows 7, and Windows Server is vulnerable to the problem, across both 32- and 64-bit versions of the operating systems.
Attackers—which VeriSign’s iDefense has identified as the Chinese government or agents thereof—exploited the flaw by sending messages to targeted Google employees, forged to look like they were from a trusted source. If a user clicked a malicious link in the message, the users’ computers were compromised, downloading and installing backdoor software that enabled attackers to gain complete control of the computer. Presumably, from there, attackers monitored computer usage and data in an effort to obtain passwords and other valuable information.
McAfee is dubbing the attacks against Google and other companies’ operations in China “operation Aurora” because the word “Aurora” appears in file paths included in two of the malware binaries associated with the attack. The pathname would presumably have come from the attackers’ systems. McAfee describes “Operation Aurora” as a coordinated, highly targeted attack going after high profiled companies and their intellectual property, coordinated to take place while many employees were away on December holidays to maximize the amount of time the attack could operate. “All I can say is wow,” wrote McAfee CTO George Kurtz. “The world has changed. Everyone’s threat model now needs to be adapted to the new reality of these advanced persistent threats.”
