The big China hacking lesson: ditch IE

Accusations and counter-accusations continue to fly in the China-versus-Google-and-everyone-else hacking scenario but there is one lesson everybody can learn: using an out-of-date version of Internet Explorer is asking for trouble.

Since Google revealed in a blog post last week that it was considering withdrawing from China after tracing attempted hacks on human right activist email accounts to Chinese sources an entire sub-industry has popped up dedicated to outlining in more detail the nature of the attacks something Google itself was fairly opaque about. The network behind the attacks has been dubbed ‘Aurora’ but the name of the attackers is rather less interesting than the big name technologies implicated in making it possible.

The first company to get fingered was Adobe in part because the company confirmed that it had been subject to a similar attack in a blog post of its own. Unsurprisingly Adobe itself didn’t suggest its own products were to blame — its post talks about unspecified “infrastructure improvements” to its own network — but other analysts saw potential issues.

However Acrobat’s role quickly faded when it emerged that a previously undocumented zero-day vulnerability in Internet Explorer had also played a part in the attack. McAfee revealed the existence of that flaw in yet another blog post last week after notifying Microsoft of the problem. Microsoft subsequently confirmed its existence and issued an advisory on the problem though it hasn’t yet released a patch.

As with many IE flaws staying up-to-date remains the best defence. Users of IE8 would have been unlikely to suffer from an attack based on exploiting the flaw since the latest version of the browser has Data Execution Prevention (DEP) switched on by default and utilises Protected Mode.

Microsoft’s own analysis suggested that the attack vectors were largely via users running IE6 a browser which has been entirely discredited as a secure platform and which has also been the subject of repeated campaigns urging users to move on to newer versions. However many corporate intranet applications have significant IE6 dependencies in their coding meaning the browser remains in widespread use on business networks.

Calls to dump IE have gone up a notch since the announcement of the flaw. Germany’s national security agency has already advised German businesses to avoid IE at least until a patch can be found describing it as critical vulnerability.

“It seems that the guys from Microsoft Security Response team will be working overtime to release yet another out of band update for Internet Explorer” Sophos researcher Vanja Svajcer commented in a blog post. “Let us hope they will be able to make it before exploits become widespread on malicious websites.” Or let us hope that users shift to a less vulnerable browser.