Security Watch

IE: Trouble on the Franco-German Front

Plus: Google attacks may originate from China; password complexity not a complete deterrent.

• By Jabulani Leffall
• 01/19/2010

Here's how you know an in-the-wild Internet Explorer security bug is bad: France agrees with Germany.

The cabinet leadership of both countries has suggested a moratorium on the use of IE 6, IE 7 and IE 8 until Microsoft has patched the issue.

In a bulletin released on Monday by its information security department, the French government urged Internet users to avoid those three versions of Microsoft's browser because of potential weaknesses. This comes just two days after the German government's IT security arm, BSI, warned that the flaws allow hackers to "start and lock computers that have a Windows operating system."

Microsoft has insisted that the vulnerability has so far been exploited only in IE 6. However, its recent security advisory suggests that even though IE 6 is the most vulnerable target, the company isn't taking any chances on IE 7 and 8.

"It looks like European countries might be falling over themselves to boost the uptake of Firefox, Safari, Chrome and other non-Microsoft Internet browsers," wrote Graham Cluley, senior technology consultant for security firm Sophos, in his blog on Monday.

Cluley said that because details of the exploit are now available online, hackers could change the code to target other versions of the browser. But Cluley, Microsoft and others offer a word of caution for enterprise IT pros: Don't switch browsers out of fear. If there are no default browsers set up in a given enterprise computing environment, it may not be worth it to shut down IE, particularly since many Web applications either need IE to run or run best using IE.

Microsoft has suggested workarounds -- such as its enhanced security configuration tool in IE -- as stopgaps until a patch is issued. On the flip side, the absence of an official fix is what's so critical about security issues facing IE right now -- it really is that popular and widely used.

For its part, Microsoft said it will continue monitoring this situation and take appropriate actions to protect its customers, including releasing an out-of-band patch, which -- given the severity of matters -- could come soon. Feb. 9 is the next scheduled Patch Tuesday, so we'll see.

Researchers: China May Be Source of Google Attacks
With controversy brewing between Google and China over Internet information freedoms, it might be easy to use the headlines as a barometer for the security atmosphere between the two.

Indeed, the correlation between Google's very public outcry against the alleged hackings into Chinese dissidents' Gmail accounts and the zero-day attack on Google's databases via IE is very convenient (but has yet to be completely substantiated).

For its part, Google has pointed the finger directly at China. And at least two third-party security outfits -- McAfee and Washington, D.C.-based Mandiant -- have determined that the Gmail attacks (dubbed "Operation Aurora") were way too sophisticated to be a hacker aberration.

"This is the largest and most sophisticated cyberattack we have seen in years targeted at specific corporations," said George Kurtz, McAfee Worldwide's CTO, in a statement. "It is a watershed moment in cybersecurity because of the targeted and coordinated nature of the attack. As a result, the world has changed; organizations globally will have to change their threat models to account for this new class of highly sophisticated attack that goes after high-value intellectual property."

McAfee, which claims to be the company that discovered "Operation Aurora," went so far as to call the events of last week "China-linked" and said that Windows users "currently face a real and present danger due to the public disclosure of a serious vulnerability in Internet Explorer."

Meanwhile, Carlos Carrillo, a principal consultant for Mandiant -- which was the security firm hired by Google to investigate the attacks -- is saying that at the very least, the code quality of the exploit appears to be government-sanctioned.

Password Strength Not a Fool-Proof Deterrent
According to the FBI's Internet Crime Complaint Center, new cases involving cyber-fraud are cropping up every week.

And if a recent report from Gartner about emerging threats coming from automated malware is any indication, hackers may be saying, "Authentication, schmauthentication."

OK, hackers aren't really saying that; I just really wanted to say it. But the gist is there, given the report's findings, which claim that hackers and tech-savvy con artists have been raiding user accounts by "beating strong two-factor authentication methods."

This is because simply gaining control of a user account through a browser is enough to take over a computer and look through the search history, Web forms and cookies to find a user's passwords -- no matter how complex they are.

"Because any authentication method that relies on a browser can be attacked and defeated, banks should start using server-based fraud detection to monitor transactions for suspicious patterns" the Gartner report said.