Google’s tiff with China sparked over another Explorer security breach

by  Alan Zisman (c) 2010 First published in Business in Vancouver February 9 - 15, 2010 issue #1059

High Tech Office column

As I write, the biggest tech news of the last week – at least for anyone not mesmerized by the advance hype of Apple’s late-January event – was Google going face-to-face with the Chinese government.
The search giant demanded an end to Chinese government censorship of Internet access within its borders, threatening to pull out, shutting down its Google.cn subsidiary.

Less widely reported: while some 70% of North American searches use Google, in China the company is far behind the Baidu search service. It may have been harder for Google to threaten to pull out of a market where it was more successful.

Other threads in the story: Google made its stand following what it described as a Chinese-originating cyber attack on the company – and at least 33 others – aimed at hacking the Gmail accounts of human-rights activists and theft of Google’s intellectual property.

Google implied the Chinese government initiated the attacks; not surprisingly, China denied the accusation.

Commenting on “the targeted and co-ordinated nature of the attack,” George Kurtz, the chief technology officer of Internet security company McAfee, called it what his company refers to as “Aurora” – a “watershed moment in cyber security.”

Apparently, the attacks used a security hole in Microsoft’s Internet Explorer’s (IE) older IE6 version running in Windows 2000 or XP. Newer IE versions have similar vulnerabilities, though Aurora targeted IE6 systems. (Early reports suggested the attacks used a vulnerability in Adobe’s PDF reader; apparently, that wasn’t the case.)

News of this latest IE vulnerability spurred government agencies in Germany and France to urge their citizens to consider using alternative web browsers.

Microsoft initially suggested users upgrade to the current generations of IE6 and Windows XP.
However, it later released a patch (for all versions of Internet Explorer) for the “invalid pointer reference” that made the attacks possible. Apparently, Microsoft had been aware of this vulnerability since last September.

Perhaps not surprisingly, within a few days of the publicizing of the Internet Explorer vulnerability, Symantec found “hundreds of websites,” typically on free web-hosting services, that were spreading attack code exploiting this flaw.

Users are being led to these sites by links in spam e-mail, instant messages and the like – apparently coming from known senders.

Even with the release of Microsoft’s fix, too many users don’t update their systems in a timely manner, if at all.

Scripts on the websites attempt to steal visitors’ data and take control of their computers.

Andrew Brandt, research analyst for security company Webroot, calls it “a pretty nasty attack against the people who are targeted.”

So is it time to stop using Internet Explorer entirely?

Not necessarily. I’ve repeatedly urged High Tech Office readers to check out alternatives to widely used (and widely targeted) Microsoft products, but no software is inherently 100% safe and secure.

At the Vancouver-based Pwn2Own security event, for instance, a Mac running Apple’s Safari browser was quickly and publicly compromised.

More to the point: keep whatever browser and other software you’re using patched and up to date.

Along with keeping your operating system, browser, media players, PDF readers, office suite software and more up to date, you may similarly want to use file encryption for an extra level of protection.

Encryption is optionally available to users of the higher-end Windows 7 and Vista versions and to users of recent Mac OS X versions, while the free TrueCrypt is available for users of most computer platforms.