Security Advisory - January 20, 2010

Zscaler protects against Operation Aurora (recent IE Vulnerability)

We had provided initial communication regarding the recent Microsoft Internet Explorer zero-day vulnerability (CVE-2010-0249) on Friday and since this is a fluid situation, wanted to pass along an update on what has transpired since then. To refresh, this vulnerability is known to have been used in high profile attacks originating from China to successfully compromise a number of large corporations including Google, Adobe, and Yahoo!. The attacks are being referred to in the press as 'Operation Aurora'. Zscaler deployed initial protections for the vulnerability on Thursday January 14th, immediately after receiving confidential notification from Microsoft via the Microsoft MAPPs program. We have subsequently deployed additional protections as new exploit samples have emerged.

No Zscaler Customers have been Exploited

Zscaler Labs obtained and analyzed exploit code believed to have been used in the Operation Aurora attacks. Upon completion of our analysis, we were able to conduct a thorough review of Zscaler log data to look for evidence of attacks on Zscaler clients. Our review showed no evidence to suggest that any Zscaler clients were targeted in these initial attacks.

Public Exploits Continue to Emerge

Publicly available exploits have emerged for this vulnerability, including a Metasploit module. The wide availability of reliable exploit code is likely to result in a second wave of attacks, unrelated to those of the initial perpetrators. All public exploits to date target only Internet Explorer 6. Although the vulnerability also affects Internet Explorer 7/8, reliable exploitation is complicated by additional security measures in these browsers, most notably Data Execution Prevention (DEP). Despite this fact, private organizations are claiming to have developed successful exploits for Internet Explorer 7/8.

Additional Precautions

As noted, Zscaler has already deployed protections related to this vulnerability, which will detect and block web sites attempting to leverage known exploits. We will continue to monitor for additional attacks and deploy new protections as necessary. Beyond this, we recommend the following:

Upgrade Browsers

Internet Explorer 6, although still supported by Microsoft, lacks many of the additional security protections of Internet Explorer 7/8, such as DEP, malicious URL/phishing block lists, Address Space Layout Randomization (ASLR), and Cross-site Scripting (XSS) protections. For those organizations still relying on Internet Explorer 6, we strongly recommend an across the board upgrade to Internet Explorer 8.

Deploy Patches

Microsoft has deployed patches for this vulnerability, details of which are available in Security Bulletin MS10-002 (http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx). As exploit code is currently in the wild, patches should be immediately deployed on all vulnerable versions of Internet Explorer.