tiff with China sparked over another Explorer security breach
Alan Zisman (c) 2010 First published in Business
February 9 - 15, 2010 issue #1059
High Tech Office column
As I write, the biggest tech news of the last week – at least for
anyone not mesmerized by the advance hype of Apple’s late-January event
– was Google going face-to-face with the Chinese government.
The search giant demanded an end to Chinese government censorship of
Internet access within its borders, threatening to pull out, shutting
down its Google.cn subsidiary.
Less widely reported: while some 70% of North American searches use
Google, in China the company is far behind the Baidu search service. It
may have been harder for Google to threaten to pull out of a market
where it was more successful.
Other threads in the story: Google made its stand following what it
described as a Chinese-originating cyber attack on the company – and at
least 33 others – aimed at hacking the Gmail accounts of human-rights
activists and theft of Google’s intellectual property.
Google implied the Chinese government initiated the attacks; not
surprisingly, China denied the accusation.
Commenting on “the targeted and co-ordinated nature of the attack,”
George Kurtz, the chief technology officer of Internet security company
McAfee, called it what his company refers to as “Aurora” – a “watershed
moment in cyber security.”
Apparently, the attacks used a security hole in Microsoft’s Internet
Explorer’s (IE) older IE6 version running in Windows 2000 or XP. Newer
IE versions have similar vulnerabilities, though Aurora targeted IE6
systems. (Early reports suggested the attacks used a vulnerability in
Adobe’s PDF reader; apparently, that wasn’t the case.)
News of this latest IE vulnerability spurred government agencies in
Germany and France to urge their citizens to consider using alternative
Microsoft initially suggested users upgrade to the current generations
of IE6 and Windows XP.
However, it later released a patch (for all versions of Internet
Explorer) for the “invalid pointer reference” that made the attacks
possible. Apparently, Microsoft had been aware of this vulnerability
since last September.
Perhaps not surprisingly, within a few days of the publicizing of the
Internet Explorer vulnerability, Symantec found “hundreds of websites,”
typically on free web-hosting services, that were spreading attack code
exploiting this flaw.
Users are being led to these sites by links in spam e-mail, instant
messages and the like – apparently coming from known senders.
Even with the release of Microsoft’s fix, too many users don’t update
their systems in a timely manner, if at all.
Scripts on the websites attempt to steal visitors’ data and take
control of their computers.
Andrew Brandt, research analyst for security company Webroot, calls it
“a pretty nasty attack against the people who are targeted.”
So is it time to stop using Internet Explorer entirely?
Not necessarily. I’ve repeatedly urged High Tech Office readers to
check out alternatives to widely used (and widely targeted) Microsoft
products, but no software is inherently 100% safe and secure.
At the Vancouver-based Pwn2Own security event, for instance, a Mac
running Apple’s Safari browser was quickly and publicly compromised.
More to the point: keep whatever browser and other software you’re
using patched and up to date.
Along with keeping your operating system, browser, media players, PDF
readers, office suite software and more up to date, you may similarly
want to use file encryption for an extra level of protection.
Encryption is optionally available to users of the higher-end Windows 7
and Vista versions and to users of recent Mac OS X versions, while the
free TrueCrypt is available for users of most computer platforms.