In association with heise online

19 January 2010, 11:42

Targeted attacks on businesses continue

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Adobe Logo The Internet Explorer vulnerability used for the attacks on Google may be the talk of the town right now, but danger also looms from other directions, in the form of specially crafted PDF files. Although Adobe released an update for its free Reader last week, criminals and spies are continuing to take advantage of the fact that not all users and companies have installed the updates.

F-Secure is reporting an attack on a US company which performs contracts for the US Department of Defence. Last week attackers, believed to be from Taiwan, sent the company a deceptively genuine-looking document which exploits a known vulnerability (doc.media.newPlayer) in Adobe Reader to install a back door on a Windows PC. The update from Adobe fixes precisely this vulnerability.

However, there is still no update available for the vulnerability in Internet Explorer. Following the advice from the German Federal Office for Information Security (BSI), the French (CERTA) and Australian CERTs are also now warning against using the Microsoft browser and recommend the use of alternative products. An exploit for the vulnerability is now openly circulating. The vulnerability exploits a bug in Microsoft's mshtml.dll HTML Viewer library which occurs when processing specific JavaScript event objects.

Some German companies, for example, have already reacted by banning staff from surfing with Internet Explorer. Although Microsoft has published workarounds, such as enabling data execution prevention (DEP) and disabling active scripting, the average user is likely to have problems following the steps required – assuming they are even aware of the problem. There have not yet been any reports of generally available websites exploiting the vulnerability.

Google is meanwhile investigating whether staff from its Chinese operation may have been involved in the attacks. The company is reported to be analysing the networks at its Chinese subsidiary for traces of the back door trojan used in the attacks. McAfee, which published the first analysis of the Aurora attacks, has dubbed the malware involved Exploit-Comele and Roarur.dr and released signatures for these pieces of malware. Other anti-virus vendors (assigning their own names to the malware) have also released signatures for detecting this exploit.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-907696
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit