Can We Learn From Our Mistakes?

I've read with interest the recent developments regarding the "Aurora" exploit code. As you are probably aware this code exploits a vulnerability in Microsoft's Internet Explorer. Microsoft recently released an out-of-band patch to close off this vulnerability. Very soon after, we are seeing reports that the first widespread attacks that attempt to exploit this vulnerability have surfaced.

Anything unusual about this situation? Not really….

But I can't but help feeling a sense of deja vu. In October 2008 a vulnerability was discovered in some of Microsoft's operating systems. The vulnerability was deemed serious enough to warrant a critical, out-of-band patch release in late October. The patch was called MS08-067. On the exact same day that the patch was released, exploit code was published. A few other examples of exploit code was seen and in late November the first examples of a new worm was discovered. That worm was called Conficker. It is well known & well documented that Conficker (and its variants) went on to wreak havoc around the world, and is still consistently found in most anti-virus vendor's top malware lists today. In fact, the Conficker Working Group are still seeing around 6.5 million infected hosts at the moment.

One of the main frustrations we in the research community had with Conficker was the fact that, had everybody ensured that they had installed that MS08-067 patch from Microsoft when (or very soon after) it was released, Conficker would not have made the impact that it did (and still does!). Yes, it can also spread through other vectors such as removable drives & network shares, but far, far fewer systems would have been infected, had they had the patch installed on them.

So here we are again. We have a very high profile vulnerability that Microsoft has released a critical "drop everything and install it NOW" patch. And of course, we have the bad guys jumping on the band wagon trying to take advantage of the vulnerability as soon as possible.

The big question is: have we learnt from our mistakes with Conficker? Will the patch be applied universally and without delay, as it should? I can't help wonder if we will go through another "Conficker" episode…. I guess only time will tell!

OK, I hear you saying "But this vulnerability affects browser software, not an operating system, and the exploit code only works on an older version of Internet Explorer (IE6)". That's true, but Internet Explorer has a vast user base and there are still many systems running IE6. Also, it seems this exploit code may be modified to work on the later versions of Internet Explorer as well.

So we'll see if I'm right about this one. To be honest, I really hope I'm wrong!

Craig Johnston
Senior Cybercrime Research Analyst

Author , ESET

  • Chuck

    To Whom It May Concern:
    At an ESET analyst's recommendation, I'm now receiving SANS alert bulletins.  In one, today, it links to the
    Microsoft Security Response Center Partners program.   At that MS site are listed security software ventor
    partners.  I could not find ESET on this list. 
    To me, a lowly PC home customer, this list says these are the ventors who are working with Microsoft
    to protect my system.  These guys are your competitors.  Is there some business or technical reason
    why ESET doesn't also appear on this list? 

    • Chuck, we work with Microsoft and with other vendors in a wide variety of forums and contexts.

      I don’t know whether we have any active involvement with MAPP at the moment – I know from other such initiatives that such lists are not always fully accurate and up-to-date. If we don’t, I don’t know what the reasons for that would be. However, I’ll check it out. But it would be naive to draw any negative conclusions from this list about our commitment to protecting our customers, or to working in partnership with other researchers.

      • I can now confirm that ESET is, in fact, a member of MAPP.

Follow us

Copyright © 2017 ESET, All Rights Reserved.