Microsoft: Out-of-band fix to IE6 Google/China exploit to come soon
In a display of calm defiance against the notion that reacting publicly to a threat against its customers is a "marketing tactic," a Microsoft spokesperson confirmed to Betanews this afternoon that a fix for the recently uncovered remote code execution vulnerability in Internet Explorer 6 will be made publicly available some time prior to the next round of Patch Tuesday updates. The exact time of the patch's release, as well as the scope of users who should install it, will be revealed tomorrow.
This would limit Microsoft to a four-week response window since last Tuesday, when Google broke its veil of silence to reveal its servers had been attacked by sources apparently emanating from China.
The spokesperson also confirmed to Betanews that Microsoft presently believes the architecture of the attack vector against Google and other businesses -- presumably, other businesses that conduct business with China -- is specifically IE6, the old version of the Web browser that shipped with Windows XP. For now, the company declines comment on the profile of the attack with comparison to other attacks of this nature -- that information may come later once the threat has been sufficiently mitigated.
The best defense customers have against the exploit in its current form, suggests Microsoft security general manager George Stathakopoulos, is an immediate upgrade to IE8. Its Data Execution Prevention feature automatically protects against the execution of injected shell code in the computer.
It is the technique adopted by this attack -- injected shell code -- which suggests that the portion of the malware that exploits IE6, at the very least, is actually not very sophisticated at all -- just very effective. Microsoft declined comment for now as to whether the shell code injection technique fits the profile of other malware packages it has encountered over the years, particularly those which targeted IE6 prior to the availability of IE7.
Researchers at New York-based Praetorian Security Group developed a demonstration of the "Aurora" exploit using Metasploit, the framework for security researchers to implement and test exploit code through virtual networks. A video produced by Praetorian provides an astonishing peek into the effectiveness of a back door in giving a remote user effectively full control over a "pwned" system.
The "Aurora" IE Exploit in Action from The Crew of Praetorian Prefect on Vimeo.
The system depicted in the video is clearly Windows XP, and the browser is IE6. Praetorian warns that now that the exploit code is public, it may essentially be a matter of time before a derivative exploit is made targeting later versions. Microsoft is not saying yet whether the patch will be limited to IE6 or would also cover IE7 or IE8 to some extent, though we expect to learn the answer to that tomorrow.
The spokesperson cited its ongoing investigation in concert with Google as another reason why it cannot divulge more details about the exploit at this time. Prior to last Tuesday's report from Google, that company had been in the news for having provided no public relations whatsoever in response to a 3G connectivity bug afflicting some of its recently shipped Nexus One smartphones.