McAfee reports a new high risk cyber attack: Operation Aurora
McAfee Labs identified
a zero-day vulnerability in Microsoft Internet Explorer that was used as an
entry point for “Operation Aurora” to exploit Google and at least 30 other
companies. Microsoft has issued a security advisory and McAfee is working
closely with them on this matter. “Operation Aurora” was a coordinated attack
which included a piece of computer code that exploits a vulnerability in
Internet Explorer to gain access to computer systems. This exploit is then
extended to download and activate malware within the systems. The attack, which
was initiated surreptitiously when targeted users accessed a malicious Web page
(likely because they believed it to be reputable), ultimately connected those
computer systems to a remote server. That connection was used to steal company
intellectual property and, in Google’s case, gain access to user accounts.
You can find more
information about this attack and ways to protect your systems against it at
the McAfee threat center or contact us.
How serious is this vulnerability?
The Microsoft Internet
Explorer vulnerability leveraged in this attack allows for remote code
execution, but does require user intervention (such as following a hyperlink to
a website, or opening an email attachment, etc). Furthermore, the single
exploit known to exist can be thwarted by Data Execution Prevention (DEP), enabled
by default in Internet Explorer 8 and optionally in Internet Explorer 7.
Microsoft lists the following combinations to be vulnerable: Internet
Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and
Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported
editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server
2008, Windows 7, and Windows Server 2008 R2 are affected.
How are McAfee customers protected from this attack?
·
McAfee DAT files (antivirus): Coverage will be provided for associated malware (as Exploit-Comele, Roarur.dr, and Roarur.dll in the 5862 DATs, releasing January 15. Partial
coverage is provided in the current (5861) DATs for some components as
Generic.dx!kwv, Generic Spy.e, Spy-Agent.ey, and Exploit-Comele.
·
McAfee VirusScan Enterprise Buffer Overflow Protection: Generic Buffer Overflow Protection is expected to
cover some, but not all, exploits.
·
McAfee Host Intrusion Prevention: Generic Buffer Overflow Protection is expected to
cover some, but not all, exploits.
·
McAfee Network Security Platform: The UDS release of January 14 contains the signature
“UDS-HTTP: Microsoft Internet Explorer HTML DOM Memory Corruption” which
provides coverage.
·
McAfee Vulnerability Manager: The FSL/MVM package of January 14 includes a
vulnerability check to assess if your systems are at risk.
