Google - China attack episode: Is Microsoft to blame?


The Google Gmail attacks – which were paralleled by similar attacks on Adobe and a number of other IT companies – are the result of a complex targeted attack by hackers in China that stem from a new and little-known vulnerabiity in the Microsoft web browser.

In his analysis of the saga, George Kurtz, McAfee's chief technology officer, said that, in the company's investigation it discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer.

"We informed Microsoft about this vulnerability and Microsoft published an advisory and a blog post on the matter," he said in his own blog posting.

Kurtz went on to say that, although targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios, contrary to some reports, McAfee had found no evidence of a vulnerability in Adobe Reader being a factor in these attacks.

The Internet Explorer vulnerability is said to exist as an invalid pointer reference that can be exploited by hackers to allow remote code to be executed.

According to Kurtz, once the malware is downloaded and installed, it opens a executable back door that allows the hacker to scan the available ports and gain control over the compromised IT system. "The attacker can now identify high-value targets and start to siphon off valuable data from the company," he explained.

Unconfirmed reports suggest that all versions of Internet Explorer from 5.0 onwards are vulnerable to the flaw, although newswire reports this morning said the main focus of the attacks were on Internet Explorer 6.

As widely reported in the media, the attacks – which were publicised by Google – originate from highly organised cyber espionage sources in China, although the Chinese government has denied any involvement.

Owing to this latest rash of attacks and what it claims is increasing pressure to ramp up its search engine filtering, Google has said it will now remove its filtering in China, as well as pull out of the country, unless the censorship pressures are removed.

Google's threat to withdraw from China has gained support from several sources, including Neelie Kroes, the woman set to become the European Union's top internet official. "We have to have freedom of speech, we have to have the possibility to put things on the 'Net," she told EU legal officials and reporters at a briefing yesterday.

Kroes said that the allegations against China, if proven, were "particularly worrying as targeting of human rights activists in China and elsewhere" violated fundamental rights such as the freedom of opinion.

Infosecurity notes that Kroes is the EU's antitrust commissioner and is widely tipped to switch to her new post next month if she receives the backing of the European Parliament later this month.

Business internet service vendor Entanet, meanwhile, is also supporting Google in what is developing into a war of words, with Neil Watson, the ISP's head of operations, saying that Google's withdrawal from China would be welcomed by human rights advocates throughout the world who have long campaigned for an end to the Chinese government's censorship of the internet and free speech.

"We believe that it is about time large powerful corporations such as Google (who admittedly have less dominance in the Chinese market than elsewhere in the world) stood up to the Chinese government and either withdrew their business completely or at least pro-actively challenged their censorship regulations," he said.

Data security specialist Imperva also supports Google's planned Chinese pullout, with the firm's chief technology officer, Amichai Shulman, saying that the Chinese hackers tried to gain access Google internal databases to pull passwords.

"We can presume that Google determined that the attackers were after civil rights activists from queries that the hackers tried to run on the databases containing the activists' user names," he said. "Google probably discovered the issue through audit trails when they examined the infiltrated databases," he added.

What’s hot on Infosecurity Magazine?