I've read with interest the recent developments regarding the "Aurora" exploit code. As you are probably aware this code exploits a vulnerability in Microsoft's Internet Explorer. Microsoft recently released an out-of-band patch to close off this vulnerability. Very soon after, we are seeing reports that the first widespread attacks that attempt to exploit this vulnerability have surfaced.
Anything unusual about this situation? Not really....
But I can't but help feeling a sense of deja vu. In October 2008 a vulnerability was discovered in some of Microsoft's operating systems. The vulnerability was deemed serious enough to warrant a critical, out-of-band patch release in late October. The patch was called MS08-067. On the exact same day that the patch was released, exploit code was published. A few other examples of exploit code was seen and in late November the first examples of a new worm was discovered. That worm was called Conficker. It is well known & well documented that Conficker (and its variants) went on to wreak havoc around the world, and is still consistently found in most anti-virus vendor's top malware lists today. In fact, the Conficker Working Group are still seeing around 6.5 million infected hosts at the moment.
One of the main frustrations we in the research community had with Conficker was the fact that, had everybody ensured that they had installed that MS08-067 patch from Microsoft when (or very soon after) it was released, Conficker would not have made the impact that it did (and still does!). Yes, it can also spread through other vectors such as removable drives & network shares, but far, far fewer systems would have been infected, had they had the patch installed on them.
So here we are again. We have a very high profile vulnerability that Microsoft has released a critical "drop everything and install it NOW" patch. And of course, we have the bad guys jumping on the band wagon trying to take advantage of the vulnerability as soon as possible.
The big question is: have we learnt from our mistakes with Conficker? Will the patch be applied universally and without delay, as it should? I can't help wonder if we will go through another "Conficker" episode.... I guess only time will tell!
OK, I hear you saying "But this vulnerability affects browser software, not an operating system, and the exploit code only works on an older version of Internet Explorer (IE6)". That's true, but Internet Explorer has a vast user base and there are still many systems running IE6. Also, it seems this exploit code may be modified to work on the later versions of Internet Explorer as well.
So we'll see if I'm right about this one. To be honest, I really hope I'm wrong!
Craig Johnston
Senior Cybercrime Research Analyst
