Microsoft is releasing a patch to plug the Internet Explorer security hole exploited in a spate of cyber-attacks against Google and others.
Microsoft will release an out-of-band patch Jan. 21 to fix
the Internet Explorer vulnerability at the center of recent attacks on Google
and other enterprises.
According to Microsoft,
the patch is slated
to be ready around 1
p.m. EST. If all goes according to plan, the patch will close a
hole that has prompted
France and Germany to advise users to avoid IE
and the U.S. State Department to demand answers
Attackers have used the vulnerability to hit IE 6. Microsoft
so far has said it has only seen limited, targeted attacks using the
Meanwhile, security researchers have continued to uncover
information about the origin of the attack. Joe Stewart, director of
malware research for SecureWorks' Counter Threat Unit, said his analysis of the
code for the main Trojan involved in the attacks shows a more direct link
According to Stewart, the code includes a CRC
(cyclic redundancy check) algorithm implementation released as part
of a Chinese-language paper on optimizing CRC
algorithms for use in microcontrollers.
"This CRC -16
implementation seems to be virtually unknown outside of China,
as shown by a Google search for one of the key variables, 'crc_ta,'" Stewart
noted in a SecureWorks blog post
Jan. 20. "At the time of this
writing, almost every page with meaningful content concerning the algorithm is
Up until this finding, Stewart told eWEEK, the factors leading
people to point to China
were patterns similar to previous Chinese malware.
"Unfortunately, when investigating malware, nothing is
conclusive because digital evidence can be forged," he said. "However,
I believe the use of the Chinese algorithm certainly gives more credence to the
attack code being Chinese in origin."
Researchers at Symantec noted seeing the Hydraq
used in an attack campaign in July 2009 that spread using vulnerabilities in
Adobe Reader, Acrobat and Flash Player. Attack code for the IE vulnerability
meanwhile was observed circulating the Web the week of Jan. 11 by McAfee. So
far, IE 6 is the only version of the browser that is known to have been
successfully targeted by attackers.
Security developed an exploit that worked on IE 8
and bypassed DEP
(Data Execution Prevention) protections. The best defense for those worried
"Microsoft has no choice but to release an out-of-band
patch for this; with France and Germany having issued notices warning people of
the perils of using Microsoft's Internet Explorer, the exploit's role in
compromising Microsoft's 'archrival' Google, among others, and widespread
press coverage, Microsoft found itself in a precarious position," said
Josh Phillips, virus researcher with Kaspersky Lab.
"On top of the
widespread publicity, public release of the exploit has led to the discovery
that under certain conditions, even the latest versions of Internet Explorer
are exploitable when running on Windows Vista and Windows XP."