Newly released Windows fix addresses both new and old IE browsers
Over the past few days, security engineers have warned that variations of the publicly-released Hydraq exploit are being engineered for later versions of Internet Explorer than the one targeted in the recently discovered wave of attacks against Google and others, IE6. One security researcher on the "good side," Dino Dai Zovi, claimed on Twitter earlier today he has a functional derivative of Hydraq for IE7 and IE8...kind of. To make them work, two of Windows 7's more celebrated security features -- Address Space Load Randomization and Data Execution Prevention -- have to be manually turned off first.
Still, the nearness of such an exploit to reality prompted Microsoft to release its out-of-band security update today, as promised yesterday, for IE6, IE7, and IE8. Separate update packages are currently being deployed through Windows Update, and are available for download now.
Microsoft Senior Security Program manager Jerry Bryant informed Betanews just moments ago that as of this moment it has only seen evidence of actual Hydraq attacks in the wild targeting IE6. However, as Bryant warned customers in a blog post yesterday, more than the Web browser may be theoretically vulnerable.
Specifically, earlier versions of other Microsoft software, including Outlook, Outlook Express, and Windows Live Mail that used the mshtml.dll rendering library for showing HTML e-mails, but whose default security states may have been turned off by users (for instance, enabling ActiveX controls), could be vulnerable. Those users may not be vulnerable, Bryant said, if their security configurations are left in their recommended states. Outlook 2007 uses a later version of the library, Bryant said, and is therefore not immediately vulnerable at all.
However, if mutants of Hydraq that work on IE7 and IE8 ever do get exploited in the wild, users without today's IE patch installed (which addresses this shared rendering library as well) could be in trouble. Up until very recently, third parties answering reader and customer troubles about software incompatibilities they've encountered, have advised them to turn DEP off.
Sometimes the problem itself didn't have to be explained in detail; publications and services have advised, turn DEP off and see if that works. "User who facing problem when using Office applications can use the following trick to turn off and disable DEP for Office applications," reads a post on MyDigitalLife.info dated last August.
Microsoft, of course, continues to suggest that DEP remain turned on, stating that any software incompatibilities users may face are much less serious than being exposed to a critical exploit.
As Dino Dai Zovi told his followers on Twitter earlier today, "Right now, my exploit works against IE7 on Vista with ASLR but no DEP, but not against IE8 with ASLR + DEP." Later, he added, "My exploit works on all IE targets with none of, or one of, DEP and ASLR, but not when both are in use."
Although Hydraq's payload -- a veritable communications platform for stealth intellectual property theft -- is one of the more sophisticated such payloads that some security researchers have encountered, the package it's delivered in has been said to be not sophisticated at all. That could be one reason why Microsoft was able to patch this problem so quickly, just two weeks after Google apparently notified Microsoft of its existence.
For better or worse, the source code of a version of Hydraq (which may or may not be the version used in the Google attack) was released last week by students working with the Wepawet malware analysis service, at the University of California at Santa Barbara. Marco Cova is one of those students. This morning, Cova told Betanews that the lack of sophistication necessary for Hydraq to deliver its sophisticated stealth service, should itself be considered sophisticated.
"I would say that the attack was technically sophisticated, mostly because, as far as I know, it was targeting a previously unknown vulnerability, rather than using one of the well-known exploits that are implemented in popular exploit packs," Cova told us. "The attack techniques themselves (the shellcode injection, etc.) are well known; so the novelty here would be knowing or finding what to attack rather than how to attack."
Addressing the possibility that Google's attackers chose IE6 not out of convenience but because they knew what systems they would be attacking, Cova said, "An attack may be sophisticated from points of view other than the technical one. For example, an attack may be sophisticated because it leverages sophisticated knowledge of its targets (who is to be targeted, how, etc.). Whether this is the case may be better assessed by somebody at Google."