Don't Kill the Messenger: Blaming IE for Attacks is Dangerous

In the wake of the attacks in China it has been determined that a zero-day flaw in Microsoft's Internet Explorer Web browser is one of the primary exploits used to compromise target systems. Germany, and now France, feel the solution is easy--stop using Internet Explorer. This simplistic approach is shortsighted and may create a false sense of security.

Blaming Internet Explorer

McAfee determined that the attacks originated from a zero-day exploit of Internet Explorer
The attacks against Google, and an array of other private corporations, political activists, and international journalists, which have led Google to consider shutting down operations in China completely, did use Internet Explorer as an attack vector.

McAfee CTO George Kurtz explains on his blog "In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer."

It is worth noting that Kurtz used the phrase "one of the malware samples", implying that there are others and that additional attack vectors may be involved. There is a fair chance that Internet Explorer is not alone in enabling the attacks.

I asked Kurtz about initial speculation that the Adobe Reader zero day exploit patched by Adobe last week was involved. He responded "We have heard the rumors but have not confirmed nor analyzed any malware specific to these attacks that used Adobe Reader. I can only comment on the malware we have examined and there certainly could be other pieces of malware that have not yet been discovered. Additionally, it is common for an attacker to leverage one point of access as a pivot point, and attack other internal systems with different exploits specific to that operating system or application."

False Sense of Security

I asked Kurtz about the irony that Google, makers of the Chrome Web browser, could be compromised by a flaw in Internet Explorer. Shouldn't Google be using Chrome?

Kurtz replied "It is easy to come to that conclusion, but IE is ubiquitous and is used in almost every corporation. Keep in mind, there are many enterprise applications that only work with IE--so it is difficult to just mandate an alternate browser even if you are the creator of that browser."

Still, the problem with adopting the "abandon Internet Explorer" defense as a strategy is that it creates a false sense of security. Other browsers, applications, and operating systems can be breached as well--especially by attackers with a dedicated mission and sophisticated resources.

At the CANSEC West conference last year the Mac OS X operating system was compromised in a matter of seconds for the Pwn2Own contest using a zero-day exploit for the Safari Web browser. In an interview following the contest, the winner explained that "It's more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn't have anti-exploit stuff built into it."

While research indicates that the Internet Explorer zero-day used in the attacks could be used on any version of Internet Explorer, even on Windows 7, the initial investigation suggests that the systems targeted were actually using Internet Explorer 6 on Windows XP. Simply using a current operating system and a current Web browser would have afforded significantly more protection.

A Brave New World

More than demonstrating why organizations and users around the world should abandon Internet Explorer, the attacks in China represent a dangerous evolution in attack strategy.

Blaming IE is a shortsighted and dangerous security strategy

Andrew Storms, Director of Security Operations for nCircle, told me "This breach really brings home a lot of the things the security community has been talking to itself about for the last 18 months or more. We keep saying that security has to involve the entire enterprise, it can't be the responsibility of the IT department and be effective. Those crazy security guys can't save everyone anymore, not even with every high tech security tool in the world."

"What makes this attack unique is the targeted nature and the fact that Google--a tech giant--came out and discussed this breach. I think corporations now realize that Advanced Persistent Threats (APTs) that target core intellectual property are no longer just relegated to the realm of the Government," said Kurtz.

New Attacks Require New Defenses

nCircle's Storms believes that one "lesson from this breach is that antivirus software really is dead. For quite a while it's been the least effective tool in the IT enterprise security toolset because it's only effective against known malware. It only takes one piece of customized malware to infiltrate your network."

In my e-mails with Kurtz he wasn't as bold about declaring the death of antivirus tools, but he did suggest a new approach as well. "There are technologies like whitelisting--McAfee Application Control, that would have prevented successful exploitation of this zero day and many others--without signatures. Companies really need to start augmenting their blacklisting with whitelisting protection technologies."

Organizations that adopt Windows 7 and Windows Server 2008 can leverage similar whitelisting controls by using AppLocker to restrict the applications that are allowed to run, and blocking all others.

Another security strategy is to ensure that data is stored in an encrypted state. Just because an attacker is successful in gaining access to a server or PC doesn't have to mean the attacker can also breach the data it contains.

Microsoft provides BitLocker encryption for the Ultimate and Enterprise editions of Windows Vista and Windows 7 (as well as on Windows Server 2008). There are solutions out there like Zecurion's Zserver Storage that provide protection for a wider variety of platforms.

Google has also embraced encryption in the wake of the attacks. Users have had the option of using the more secure, encrypted HTTPS protocol, but now Google has changed it to the default and made encryption an opt-out, rather than opt-in security control.

The main thing to keep in mind is that these attacks go beyond Internet Explorer and that simply switching browsers is not an adequate defense. Kurtz sums it up on his blog "The world has changed. Everyone's threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property, private non-financial customer information and anything else of intangible value."

Tony Bradley tweets as @Tony_BradleyPCW , and can be contacted at his Facebook page .

Subscribe to the Security Watch Newsletter

Comments