Internet Explorer ZeroDay and Adobe flaw led to Google attack (Update)

by Steve Ragan - Jan 14 2010, 22:16

Update:

Microsoft has issued an advisory on the ZeroDay, "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected.”

With that said, “Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

The vulnerability exists, Microsoft explained, as an invalid pointer reference within Internet Explorer.

“It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

Original Article:

There is more information pouring in surrounding the attack on Google. According to several security sources familiar with the matter, and statements made by both McAfee and Adobe, a vulnerability in Internet Explorer possibly combined with malicious PDF files led to the attack on Google and twenty other companies.

“In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer… Internet Explorer is vulnerable on all of Microsoft’s most recent operating system releases, including Windows 7.” said McAfee’s George Kurtz.

A spokesperson from Microsoft told The Tech Herald that they are “investigating these reports and will provide more information when it is available.”

On the same day Google told the public about the attack on their systems, Adobe detailed an attack of their own.

“Adobe became aware on January 2, 2010 of a computer security incident involving a sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies. We are currently in contact with other companies and are investigating the incident. At this time, we have no evidence to indicate that any sensitive information--including customer, financial, employee or any other sensitive data--has been compromised,” the company said in a January 12 statement.

When asked, the initial reports from Adobe were that the Google incident and the one they were investigating were not related.

In a statement to The Tech Herald, Wiebke Lips Senior Manager, Corporate Communications for Adobe, added, "The two incidents appear to be related given the timing of the discoveries. However, until the investigation is completed, we won’t be able to confirm. The investigation into the incident is still ongoing."

McAfee says they have been working on the attack with multiple organizations that were impacted by this attack as well as the government and law enforcement. They say the incident originated as a targeted attack on several key people due to their access to sensitive information and Intellectual Property.

Based on McAfee’s statements, the attack started like any other targeted attack. The victims would have trusted the source, say if an email were to come from a known associate or company like Google, and from there they would have been trapped into opening the malicious the attachment. When combined with the Internet Explorer ZeroDay, the Malware delivered would have granted control over the system to the attacker.

McAfee said that nothing they have seen shows “…a vulnerability in Adobe Reader being a factor in these attacks.”

“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios. So there very well may be other attack vectors that are not known to us at this time,” Kurtz said.

Adobe backed McAfee's assessment by adding, "We are continuing our investigation into the incident, but to date, none of the work done by Adobe or any third party has uncovered evidence to indicate that Adobe technology was an attack vector," in a blog post.

However, until the investigation is complete, the Adobe factor is up for debate. If a malicious PDF file was used to instigate the delivery of a malicious payload, it wouldn’t be the first time it has happened.

Most of the speculation over the Adobe tie-in to the Google attacks centers on the ZeroDay PDF flaw recently patched, which was discovered in December. Adding to this is the report from VeriSign's iDefense security lab, which said that a malicious PDF was the source of the compromise. This report was disputed by Adobe.

Since Tuesday, the number of companies that were attacked has grown from the twenty Google mentioned to thirty-four, based on information given to the Washington Post. Among those mentioned by the Post, Yahoo, Symantec, Northrop Grumman, and Dow Chemical were said to have been involved. However, none of them would confirm the claims.

The Post’s mention of Northrop Grumman is interesting, because they were the ones who presented the report to the US-China Economic and Security Review Commission, which detailed the technical efforts of the Chinese Government, who are now more than a decade into their military modernization program that has transformed their ability to fight high tech wars.

However, many experts say there is no proof that the Chinese Government was directly responsible for the attacks. 

At the same time, the aforementioned iDefense report says otherwise, noting, "The source IPs and drop server of the attack correspond to a single foreign entity consisting either of agents of the Chinese state or proxies thereof."

Those involved with the investigation are split on who is to blame, but at the same time they want answers. Even the U.S. State Department is waiting.

“We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation,” said Secretary of State, Hillary Rodham Clinton in a statement.

For now, information is moving at a snail's pace, and the comments from both security and government pundits are pointing to the attack on Google as proof that no business is safe from targeted or “advanced persistent threats”.

Moreover, there needs to be a reminder that attacks like this happen all the time, the only reason this one is making news is because of Google. While the attack is serious, as are the methods of using ZeroDay attacks, there is nothing new about it.

As more information is presented, we’ll keep you updated. Previous story is here.

[The original story was edited to reflect statements and information from Adobe.]

Around the Web