China attack on Google exploited Microsoft Internet Explorer flaw

“Microsoft has admitted that its Internet Explorer was a weak link in the recent attacks on Google’s systems that originated in China,” BBC News reports.

MacDailyNews Take: Why are the so-called geniuses at Google using the world’s worst browser? If you’re going to test for IE, test the POS in a safe, segregated manner; don’t use it for business.

The Beeb continues, “The firm said in a blog post on Thursday that a vulnerability in the browser could allow hackers to remotely run programs on infected machines. Following the attack, Google threatened to end its operations in China.”

“‘Based upon our investigations, we have determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks,’ said Microsoft’s Director of SecurityResponse Mike Reavey in the post,” The Beeb reports.

MacDailyNews Take: Director of Security Response for Microsoft. Busy guy.

The Beeb continues, “Security firm McAfee told news agency AFP that the attacks on Google, which targeted Chinese human rights activists worldwide, showed a level of sophistication above that of typical, isolated cyber criminal efforts.
McAfee’s vice-president of threat research Dmitri Alperovitch told AFP that although the firm had ‘no proof that the Chinese are behind this particular attack, I think there are indications though that a nation-state is behind it.'”

Full article here.

Jim Finkle reports for Reuters, “Google said on Tuesday that in mid-December, it detected an attack on its corporate infrastructure originating from China that resulted in the theft of its intellectual property. It eventually found that more than 20 other companies had been infiltrated.”

“McAfee said on Thursday that those who engineered the attacks tricked employees of the companies into clicking on a link to a website that secretly downloaded sophisticated malicious software onto their PCs through a campaign that the hackers apparently dubbed ‘Operation Aurora,'” Finkle reports.

“The programs allowed the hackers to take control of the PCs without the knowledge of their users, according to McAfee, which has been researching the matter on behalf of several companies involved in the attacks since late last week,” Finkle reports.

“McAfee’s Alperovitch declined to say which companies had hired McAfee, saying they had signed confidentiality agreements,” Finkle reports. “So far the only other victim to come forward is design software maker Adobe Systems Inc, which has said that it is still investigating the matter.”

Finkle reports, “Internet Explorer is vulnerable on all recent versions of the Windows operating system, including Windows 7, according to McAfee. Microsoft said attacks had been limited to IE6, an older version of the application.”

Full article here.

MacDailyNews Take: If you have a choice (i.e. no IT doofus standing over your shoulder dictating stupidity) and are still using Internet Explorer, STOP IMMEDIATELY! Go get yourself a real Web browser.

[Thanks to MacDailyNews Reader “Tom R.” for the heads up.]

26 Comments

  1. Some of us (by “us” I mean me) are stuck on IE 6 (yes, 6 (six)) because of corporate bureaucracy and IT self preservation. It’s really sad. All web sites here at work look like complete trash and every time I ask for anything at all as a substitute (Safari, Firefox, Chrome, etc…) IT laughs it off and won’t provide. It’s impossibly frustrating working on such inferior technology.

  2. What Googles considers a security flaw is what M$ sold to the chinese government as a security feature….don’t assume that other governments don’t do the same thing. As far Google knows…they have been hacked this one time in China or elsewhere.

    “M$: The authoritarianism/totalitarianism begins here”

    just my $0.02

  3. “The firm said in a blog post on Thursday that a vulnerability in the browser could allow hackers to remotely run programs on infected machines. Following the attack, Google threatened to end its operations in China.”

    Maybe they should end operations with Microsoft products instead?

  4. My IT security chief uses a very shrewd line of defense. There are many highly respected IT security companies that provide data on vulnerabilities on common applications (browsers, mail clients, IM/AV conference clients, productivity suites), as well as OSs. Very often (if not all the time), Safari seems to come up very high, even on top, with the total number of vulnerabilities. It certainly lists more than MSIE (we’re talking fully patched, of course). I find it extremely frustrating to argue with the guy. You can tell him a thousand times “How many exploits in the wild?!!!”, but he’ll keep going: “No, no, no… these are wide open vulnerabilities; anyone can hack tomorrow, then we’re screwed; I can’t take that risk”. How do you argue with such stubbornness? And I have no doubt, vast majority of IT security drones repeat the same mantra.

    I wonder how many of these high-profile breaches have to happen before you finally get to these people. I have yet to read an article about Safari (or Firefox) being the vector for a major security attack.

  5. Right, ron, because most corporate IT people are all unionized.

    (since it’s obvious you’re pretty much set on the “repeat what Rush Limbaugh says” mode – the above is SARCASM)

    Unions or not have nothing whatsoever to do with anything on this, it’s corporate groupthink (such as Predrag mentioned) and penny-wise-pound-foolish corporate management (that keeps buying more “cost effective” Dell products) that’s the issue.

  6. I would be one of those corporate “IT Drones” you speak of. I cannot stand I.E. We use Firefox exclusively but it doesn’t matter. My users still get nailed by malware online. Somehow Fake-AV always finds a way through and infects the desktop. We cannot use Safari because it does not render or work properly with many of our corporate software tools and systems. The best and only way to tackle this is have a good up to date AV on the desktop, Gateway Malware/AV detection and to educate (or strike fear into them!) your users to recognize when something is amiss and call you immediately.

  7. It is hard to believe that they got sucked into the Microsoft dark side. Did they not have their top guy on Apple’s board? Did he not learn anything their? Google could have at least had their people surfing with Safari and remove their administrative rights on those PC until they take a class in common scene or something.

    No. Just be safe and trash those Windows boxes and give them all a Mac mini!

  8. “…no IT doofus standing over your shoulder dictating stupidity…”
    I’m afraid so. I’m forced to use IE on a PeeSea at work. Sometimes I just can’t believe how crappy it is.

  9. @ Toasty –

    The Best way to avoid the issue is to use Macs instead of Windows systems ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.