Bugs and Fixes: Google Attack Based on Unpatched IE Flaw
By Erik Larkin
PCWorldMar 1, 2010 6:02 pm PST
In an announcement that made big news last month, Google said that it and numerous other companies had been hit by successful hacker attacks. The hacker’s means of access: A critical unpatched (“zero-day”) hole in Internet Explorer.
Google says it discovered the attack in mid-December. The invasion originated in China, and according to the company, the hackers attempted to break into Gmail accounts and steal information about human rights activists. The IE flaw was exploited to install a Trojan horse that would allow full remote control over a compromised PC.
While the security hole affects IE 6, 7, and 8, the only known attacks were against IE 6. According to Microsoft, security measures (such as Protected Mode for IE 7 and 8, and Data Execution Protection for IE 8) prevented attackers from using this zero-day flaw.
In response to the assault, Microsoft took the unusual step of releasing a fix–which it had already been working on–outside of its normal monthly patch cycle.
The cumulative IE update fixes other serious security holes in addition to the aforementioned zero-day flaw, which can trigger an attack if you view a malicious Web page or poisoned banner ad. The MS10-002 update is rated critical for all supported versions of Internet Explorer, from IE 5 on Windows 2000 through IE 8 on Windows 7. Run Windows Update to make sure that you have picked up the fix.
This latest major attack should prod anyone who has yet to upgrade from IE 6 to take that essential step. The emergency patch will protect against this particular flaw, but it’s a safe bet that another hole will be found that causes the now-decrepit browser to throw open the doors of your PC to hackers. If you’re stuck using IE 6 at work because of some legacy Website or company program, you might want to use IE only for that old program, and use an alternative browser such as Firefox for your everyday browsing instead.
A Ho-Hum Update for Most
Microsoft’s regular Patch Tuesday in January included only one patch, shoring up a flaw with Embedded OpenType fonts that was rated critical only for Windows 2000. Without the MS01-001 update, a vulnerable Windows 2000 system could be taken over by a successful attack, so if you have Win 2000, run Windows Update to be certain that you’ve nabbed this patch as well. But this is a low-priority fix for all other supported versions of Windows.
Adobe Fixes Own Zero-Day Flaw
Adobe released an essential fix for its Reader and Acrobat programs on the same day as Microsoft’s regular monthly patch. Pretty much everyone will need to check that they have the Adobe Reader and Acrobat 9.3 update. It shores up a security hole that had been exploited by malicious .pdf files since December, and it is required for version 9.2 (or earlier) of both programs on Windows, Linux, and Mac systems.
Click Help•Check for Updates to make sure you have the latest version, and hit the Preferences button on the resulting pop-up to make sure you’ve enabled Adobe’s automatic updates. See more details on the update, and head to get.adobe.com/reader to download the full version.
Firefox 3.6 Released
Mozilla bumped up its popular browser with an update that adds a few new features and fixes, but doesn’t make any major changes to the program. Version 3.6 will automatically check for a wider range of out-of-date plug-ins, which can represent a major security risk (3.5 checks for old Adobe Flash versions). It also adds support for Personas, a new way to handle Firefox themes.
At this writing, Firefox won’t prompt you to automatically upgrade to 3.6. The easiest way to pick it up is to click Help •Check for Updates, and then click Get the New Version. A helpful add-on check will warn you about any installed extensions that don’t yet work with 3.6 before you upgrade. You can decide then whether you want to wait until the add-ons are ready, or go ahead with the 3.6 update, which will disable those particular add-ons.