Thursday, February 25, 2010

CERT describes China exploit in IE


>
CERT (at Carnegie Mellon) has reported on the “Aurora” Microsoft Internet Explorer exploit, analyzed by McAfee.

The systems affected are:

"(1) Microsoft Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
"(2) Microsoft Internet Explorer 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows 2008, Windows 7, and Windows Server 2008 R2"

The brief description is
“Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.”

The following link from CERT gives all the details. Subscribers to their email list were notified this morning.

It appears that attacks were started when employees were duped by phishing scams.

The email gives a long list of “malicious domains” associated with the incident. One of these is “blogspot(dot)blogspite(dot)org”, trying to dupe users to believe they are visiting Blogger.

It appears that KB978702 update, described in MS10-002, fixes the problem. Users got with automatic update got this fix in late January.

No comments: