R.I.P. IE6
Targeted and sophisticated attacks against Google, Adobe, and Juniper used an unpatched vulnerability in Internet Explorer to breach computers. These incidents are receiving a lot of attention from the media much due to the size and notability of the companies affected. France, Germany and now Australia have issued guidelines and urged users to switch to other browsers until a patch is available from Microsoft. Others who “really” don’t like Internet Explorer have gone as far as creating an obituary notice of Internet Explorer 6’s death – www.ripie6.com
In the particular attack on Google, a flaw in Internet Explorer 6, 7 and 8 allows a web-based attack on the following operating systems: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. Although according to Microsoft's security advisory, the company has only seen active attacks against IE 6 so far. Microsoft has also issued a workaround fix that enables DEP (Data Execution Prevention) on all versions of Internet Explorer http://support.microsoft.com/kb/979352). If the exploit is successful an encrypted malware is downloaded on the affected computer. The malicious binary payload “Aurora” consists of backdoor routines that give the attacker access to the victim’s computer. Details about the vulnerability, exploit and the payload will be discussed in a subsequent article.
I do not use Internet Explorer myself unless web sites use features such as ActiveX controls which require the use of Internet Explorer and do not work with other browsers. I am not recommending or suggesting that Internet Explorer users switch to web browsers such as Mozilla Firefox, Apple Safari or Google Chrome. Most companies stick with IE 6 to avoid costs of re-writing and testing their applications on upgraded versions or different browsers altogether. Users who are unfamiliar with configuring and managing the replacement browser will want to continue using IE 6 for the ubiquitous standard it has set. But with the changing threat landscape a lot more than financial information is at stake. The cost to recover from stolen intellectual property (confidential company information, non-financial customer information and so on) would be more compared to the effort required to switch to secure and patched browsers. Besides it raises questions about the company’s competence to secure data and information from the intruders. A combination of multiple security vulnerabilities, an aging set of features and the emergence of more modern browsers, Internet Explorer 6 has started to look vulnerable.
In the current threat landscape web-based attacks need not necessarily exploit browsers alone. Many other applications that the browsers interact with may also be targeted. Ultimately it is the owner’s responsibility to update their systems, applications and browsers with the latest versions/patches and avoid using legacy versions.
Tasneem Patanwala
Malware Researcher
