back to article IE6 exposed as Google China malware unpicked

Fresh analysis has revealed the sophistication of malware used in attacks against Google and other hi-tech firms originating from China last month. It's now known that the attack took advantage of a zero-day vulnerability in Internet Explorer - CVE-2010-0249 - to drop malware onto compromised systems. After backdoor components …

COMMENTS

This topic is closed for new posts.
  1. Joe Montana
    Flame

    Proprietary third party apps

    They were most likely running it because they have got locked in to one or more third party applications which don't work with any other browser...

    IE6 is all over the place in corporate networks, and it's all down to microsoft encouraging third party developers to target non standard features of IE6 years ago.

    1. Anonymous Coward
      Gates Horns

      Proprietary third party apps

      "IE6 is all over the place in corporate networks"

      So is Windows 2000, but Microsoft's latest IE fix does not work on Windows 2000.

      I guess MS thinks those users can just go swing in the wind.

  2. Ian Bradshaw
    FAIL

    haha

    Google doesn't even use there own browser, and uses Windows OS ... excellent.

    FAIL ... as if Google can't even use there own products or go to Linux (as apparetly the geeks think its better) then why should anyone else bother

    1. Jonathan Richards 1
      Grenade

      Let me get this straight

      Mr Bradshaw: your reasoning is "Google got penetrated by not using there [sic] own software. They're a failure, so why should I do anything differently. I'll sit in my own shit while I point and laugh."

      FAIL indeed. Apparetly [sic] its [sic] true, the geeks are right.

  3. Jigr69
    Black Helicopters

    Something suspicious is going on.

    The US government uses IE6 for legal wire tapping.

    Google is caught using IE6.

    Chinese target IE6.

    A bigger issue at play here me thinks, than a couple of corporations being hacked. Maybe the real targets were the US Government and anyone else infected was merely collateral damage.

    1. Steven Knox

      Clarification?

      "IE6 is famously outdated, and it's tempting to think Google and Yahoo! were only running it because it was the only browser supported by government systems connected with lawful interception (wiretapping). "

      This is an article about China on a UK-based news site. The sentence above (the only relevant one in the article) does not identify which government's wiretapping systems require IE6. Why do you believe it is the US government? Please identify any external references. Thank you.

  4. Anonymous Coward
    Anonymous Coward

    Why use IE6?

    Perhaps I've missing something but doesn't it make sense for an Internet software company to be running all kinds of Web browser (even some outdated ones) for testing purposes?

    1. Jonathan Richards 1
      Unhappy

      Testing

      > doesn't it make sense ... to be running all kinds of Web browser ... for testing purposes?

      No. No, it doesn't.

      If you're building a web page, validate its HTML against W3C standards. If it's broken, fix it.

      If you're writing a browser, validate its performance against standard HTML. If it doesn't render standard HTML, fix it. If it doesn't render non-standard HTML, who gives a damn?

      And even IF you were stupid enough to be running obsolete and vulnerable software for testing purposes, you wouldn't be testing by surfing to dodgy Chinese (allegedly) web sites, or reading your spear phishing email, would you?

      Posted from a supposedly secure government network, using IE 6.0. Sigh.

      1. Anonymous Coward
        Anonymous Coward

        <scoff>

        W3C??! HA!

        (bloody students...)

      2. pitagora
        Thumb Down

        I test my websites on ALL browsers above 1% market share.

        As a web designer I have to design pages to look great on all browsers. Yes, IE 6 is a nightmare as it doesn't comply with lots of standards. Second on the nightmare list is Chrome and then IE 8. Unfortunately when the client comes and tells me the page looks shitti on IE 6 I can't tell him to change the browser because it doesn't comply. He will ask me to fix the problem. He pays me for that, and since I can't fix IE 6 and I have to fix my page. And lets not forget that over 20% on the users still have IE 6. No way they can be ignored simply because you don't like that browser.

        So yes, I test my websites on ALL browsers above 1% market share.

        1. Big-nosed Pengie

          Why bother?

          Write code that's W3C compliant. If a browser doesn't render it, the browser's broken.

          1. Octopoid

            Newsflash

            They're all broken.

      3. Octopoid
        Stop

        Lol @ W3C Standards

        I actually religiously validate against W3C, because I'm a bit OCD, but seriously - have you ever actually tested any real sites against it?

        http://validator.w3.org/check?uri=http%3A%2F%2Fwww.google.co.uk%2F&charset=%28detect+automatically%29&doctype=Inline&group=0

        That's 44 errors on a page which only has about 44 words on it.

        Even if something does validate correctly, there is NO guarentee that it'll actually render properly on any of the browsers, expecially older ones. No browser is 100% compliant.

        The W3C standards are a good starting point, but no replacement for testing.

    2. Anonymous Coward
      Heart

      THANK YOU Eq!

      The only thing you’re missing my friend, is knee-jerk reactionary commentard syndrome.

      And round here, that's not a bad thing.

    3. Grease Monkey Silver badge

      Internal testing

      Yes it makes sense for any company publishing content on the internet to test on every browser they can get their hands on, but only internally. If Google only used IE6 for internal testing they wouldn't have got pwned. The fact is that they must have been using it for external access which is just stupid.

      There is an application I have to use at work which will only work on IE6 (no it doesn't work on any other browser let alone any other version of IE), but that doesn't stop you running FF, Opera, Chrome or whatever in parallel for other sites.

    4. Anonymous Coward
      Anonymous Coward

      IE6 for testing ... in a sandbox

      sure, you can use IE6 for testing web pages but you should be in a sandbox, with firewalls, anti virus and something like Spybot and don't give it unfettered access to key corporate systems

      IE6 is over a decade old and no longer a supported platform. Are Microsoft *really* at fault here? Next we'll be up in arms about zero day bugs in System9 or Win3.11

      Pointing the finger at IE6 is just Google frantically trying to avert suspicion from their own behaviour and complicity in this process (more likely that it was social engineering rather than hard core hacking that's at fault)

      Google keep getting a pass for behaviour that if it were Apple, Microsoft, Oracle or Novell they'd be dragged over the coals for

  5. Anonymous Coward
    Anonymous Coward

    I thought...

    It was the gmail accounts of dissidents that were targeted, not Google itself. If its the first, and they don't work for Google, then the question of why they were not using Chrome isn't even one that is worth asking.

    If it was Google itself that was targeted, or dissidents working at Google who accessed gmail from their works PCs or from home then it probably is worth asking.

    1. Anonymous Coward
      Anonymous Coward

      Nope

      Read the original story again. I read it that some gmail accounts got hacked, but google are also claiming that they got hacked and some IP was stolen and twenty other major companies got hacked too.

  6. Anonymous Coward
    Anonymous Coward

    why were google using IE6

    maybe because they had added the chrome add-on so that they could have a "modern browising experience" while retaining a bug-ridden security threat underneath.

  7. Tom 13

    @Eq

    If they were only using it for testing purposes, it should not have been compromised in an attack. For testing purposes you hit a defined series of sites, usually under your direct control, not general browsing. I suspect Joe Montana has the correct answer: too many internally developed aps that pre-date Chrome and don't run correctly in IE7 or IE8 except in compatibility mode. Which begs the question, is IE8 in compatibility mode subject to the same exploits? MS seems to be denying it, but they're the sort you check on even if they tell you the sky is blue today.

    1. Jolyon

      Can confirm

      The sky is indeed not blue today here in northern Europe.

    2. Anonymous Coward
      Thumb Down

      No

      "For testing purposes you hit a defined series of sites, usually under your direct control, not general browsing."

      That would be an ideal mandate if they were testing IE6. But they weren't.

      Nice try though.

      1. Steven Knox
        Thumb Up

        No No

        If you're testing a browser, the LAST thing you want to do is limit yourself to a short list of sites primarily under your direct control. If you do that, you'll miss the broad variety of web coding out there, and virtually ensure that your browser is useless to real users.

        The only time to be focusing on specific sites under your control with a browser while testing is if you're testing either (a) a very limited facet of the browser (say a toolbar feature) or (b) you're testing the sites themselves (e.g, do they look right/work on this given browser). Now that seems very much like what Google might do, don't you think?

  8. GaileF0rce

    Is McAfee the only company conerned about this

    Why is McAfee the only firm that seems to be working on this? None of the other players that I've looked at including Symantec/Norton seem to be too bothered. We use CA and I looked on their site to see if their signatures had been updated to detect it and they don't even seem to mention it. Have McAfee got an exclusive rights deal or something!

  9. NogginTheNog
    Thumb Down

    Your turn next

    Please knock it off with all the smugness non-IE users... there WILL be an exploit for your favourite browser along sooner or later, never fear. I don't think malware authors are particularly fussed about politics, they just wanna steal stuff.

    For the record I use FF 3.5 (mainly), IE8 (occasionally), Opera 10 (almost as much as FF), and IE6/7 at work ('cos that's all they have).

    1. Anonymous Coward
      Anonymous Coward

      Quite

      It's very sad that adherents of any particular browser feel they have to crow about every vulnerability in other browsers. Remember all the IE fans shouting about the vulnerabilities that lead Mozilla to release FF 3.5.6 last month. The way these sad Fanbois think is pretty simple; any vulnerability in another browser is the most serious vulnerability ever; any vulnerability in their own browser is not a real vulnerability at all.

  10. Anonymous Coward
    Flame

    IE6

    "...why Google and the other affected concerns were running a version of Microsoft's browser software first released in 2001 and not Chrome. IE6 is famously outdated..."

    Yeah but here's the rub. You buy XP. You lock down all the non-development boxes so that only your IT admins can install new software. Updates come through the company update service.

    Next thing you know, Vista is here and smells like rancid poo. You don't let the IT bods install it (they don't want to) or anything to do with it - like IE7.

    Alternatively, they could be using Win2k - much less bloated than XP...

    Most likely option - What they've got works well enough - IF IT AIN'T BROKE, DON'T FIX IT!

    1. Jonathan Richards 1

      Not a bad maxim

      > Most likely option - What they've got works well enough - IF IT AIN'T BROKE, DON'T FIX IT!

      Except that in this case, it clearly AM BROKE, and NEEDS FIXIN'. What you describe is a risk management policy which says 'we recognise the risk, and we'll do nothing but fight the fires after they break out'.

    2. Real Ale is Best
      FAIL

      @AC 13:56

      > Most likely option - What they've got works well enough - IF IT AIN'T BROKE, DON'T FIX IT!

      Yes, but the point is that it was "broke".

    3. Steven Knox
      FAIL

      See Icon

      1. If you're practicing "guilt by association" with your software updates, you need a career change. Avoid an OS that's got known issues, fair enough -- but don't refuse to even evaluate a software update for the OS you're using simply because an equivalent version comes preinstalled with the OS you're avoiding.

      2. If it ain't broke, don't fix it, fair enough -- but it's been proven, repeatedly, since roughly the day of release that IE6 IS broken, in many different ways. Microsoft has even gone on record to say that they WILL NOT fix some of the ways it's broken. So the only fix is for YOU to REPLACE IT.

    4. Anonymous Coward
      Anonymous Coward

      Paging Mr Ludd!

      "Alternatively, they could be using Win2k - much less bloated than XP..."

      Dammit why not stick with NT4, or maybe Windows 3.11? What exactly was wrong with DOS 3.3 anyway?

      I know somebody like you. He drives an old Renault 5 because modern cars are nasty and plasticky and full of unreliable modern electronics like fuel injection and electronic ignition.

      1. heyrick Silver badge
        FAIL

        Hahahahaha!

        EPIC fail! Our (old) Renault 5 has... fuel injection and electronic ignition. I know, I'm in the process of swapping out the coolant temp sensor as it is duff and the EMS can't start the car when the engine is hot as it thinks it is always cold.

        Pick on a Morris Minor, or a Talbot Horizon, or anything old enough to be very unlikely to be teched up. But a Renaul 5? Sorry, they aren't *all* hunks of crap...

    5. gollux
      WTF?

      IE6 was broke from inception...

      and was quick to be replaced with IE7 on my XP systems as soon as the first IE7 fixes started to come from Microsoft.

  11. Thomas 18

    Could these be IE6 form components?

    What about if an old app embeds a WebBrowser component? can that be an outdated IE6 version so your computer is compromised even though as far as you are concerned you're running Firefox for web browsing and this was just a stock checking standalone app you happened to have.

  12. Anonymous Coward
    Boffin

    This pretty much proves it was the Chinese Government

    Enough said

    1. Anonymous Coward
      WTF?

      Eh?

      How so?

  13. Kalvis

    Wind up gov.uk

    Petition to: warn computer users against using Internet Explorer. | Number10.gov.uk http://tinyurl.com/yhar7qm

    Also, get people to think about open-source software.

  14. Jamie Kitson

    What If...

    What if Google were about to release an operating system? Maybe they'd want some bad publicity for the incumbent, dominant OS? Now, how could the engineer that?

    1. Gulfie
      Black Helicopters

      Paranoid? Toi?

      You, my friend, hear black helicopters in your sleep, I'll warrant.

      Black helicopters, here you go.

    2. Anonymous Coward
      Anonymous Coward

      What!?

      So you're suggesting that Google somehow managed to engineer a critical vulnerability into IE6 almost ten years ago because they knew they'd be launching an OS in ten years time.

      You also seem to be suggesting that Google would accuse the Chinese governments of a major hacking incedent simply in order to discredit MS.

      The real nonsense of your argument lies in the fact that Chrome OS doesn't really compete against MS in any major market. It's a web browser sitting on a kernel with a few device drivers. It's an OS for crappy little netbooks and the likes, not proper users on proper computers using proper applications. When Chrome OS can run serious applications you might have a point, but until then it will never compete with any mature OS.

  15. Charles Calthrop
    FAIL

    @Johnathan Richards1

    "If you're writing a browser, validate its performance against standard HTML. If it doesn't render standard HTML, fix it. If it doesn't render non-standard HTML, who gives a damn?"

    Users, for one. If you built a browser and it only parsed valid html, can you tell me what you would do when people said that by using it they couldn't see anything that used youtube's <embed src code? to think of one example.

    Would you just tell them airily that they should only view pages that validate properly?

    Good luck with that then

  16. Charles Calthrop
    FAIL

    @Johnothan Richards

    "If you're writing a browser, validate its performance against standard HTML. If it doesn't render standard HTML, fix it. If it doesn't render non-standard HTML, who gives a damn?"

    Users, for one. If you built a browser and it only parsed valid html, can you tell me what you would do when people said that by using it they couldn't see anything that used youtube's <embed src code? to think of one example.

    Would you just tell them airily that they should only view pages that validate properly?

    Good luck with that then

  17. amanfromMars 1 Silver badge

    Meanwhile .....Deep Undercover in the Ministry of Truth

    "I thought...It was the gmail accounts of dissidents that were targeted, not Google itself." ... Anonymous Coward Posted Tuesday 19th January 2010 12:29 GMT

    It such cases it is always more interesting to discover the foreign supporters of dissidents by just following the communications chain, and that would be a much more likely pastime for a smart nation.

  18. Daar Istia
    FAIL

    Back to IE5 !

    It's the only version not affected according to MS' security advisory !

  19. Bilgepipe
    Gates Horns

    Crash

    "Microsoft advises users to upgrade to IE8 which, while not immune to the bug used in the Operation Aurora attacks, is "not affected by currently known attacks and exploits due to the improved security protections” in the latest version of Microsoft's browser software."

    No, it just crashes in a heap, which is apparently acceptable behaviour to Microsoft.

  20. Britt Johnston
    Welcome

    trouble with FUD

    I just overwrote my XP laptop, and wanted to upgrade to IE8 from the standard site offering, MSN. I then got a message that the OS does not support this version of IE.

    Which overlord should I kowtow to? Genuine Microsoft or my friendly Chinese OS support?

  21. Grass Mud Horse

    they are the experts

    Bank of China and China Merchants Bank both allow only IE to access their internet banking services...

    quote from cmbchina.com:

    "Requirements before Application [of a personal internet account]

    * Target Clients: holders of bankcard issued by China Merchants Bank

    * Requirements for PC: personal computers pre-installed with Windows 98 or more updated editions of operational system plus Internet Explorer version 5.0 or higher; with Internet accessing devices."

    A clear sign of their expertise and their security-mindedness. Who would want those pesky Linux using customers anyway?

  22. Don Mitchell

    Risk and Vulnerability

    I think when the smoke clears, Google will still be in China, and this will be seen as mostly them attempting to shift browser share by generating a high profile news story. We will see.

    The risk of using a browser depends on two factors, the intrinsic vulnerability of the program and its security holes, and the probability that hackers will attack it. It's hard to know the first factor objectively, I believe IE is probably the least vulnerable simply because it's been toughened by external attacks and the army of "penetration" engineers that Microsoft hires. The other browsers are relatively untested by this hostile environment, and if you believe they are invulnerable because they are "open source" or "better written", you are fantasizing. However, there is no question that hackers target IE, and that increase the risk of using it. If many uses shift to other browsers, at some point that will create a ripe opportunity for hackers to go after programs that are probably squishy soft in comparison to IE.

  23. Eduard Coli
    Joke

    Free money

    Nice to see that all of the US grants going to Chinese nationals attending MIT, etc. are not going to waste.

  24. Gilbo
    Stop

    Please

    Many people here seem to be assuming that Google is one gigantic enormous company and operates a fully managed, top-down network infrastructure. Over a decade they've grown, they've expanded, they've moved into other countries and cultures and they've aquired many other companies. They're absolutely massive.

    To talk of "Google" as a single entity in an operational sense is probably being overly flattering given that behind they scenes I suspect their desktop and domain infrastructure is probably just as bollocks any other company that's endured a lot of aquisitions. They simply must have, by their very size and nature, many more possible attack vectors than smaller companies.

    This is being spun into the most awesome and innovative hacking attempt of all time to disguise the fact that they've simply been caught with their pants down running out of date or unpatched software. They're one of THIRTY, twenty-nine of which are keeping their mouths shut and taking it on the chin.

  25. wgae
    Thumb Down

    I just wonder why...

    ...so many people believe what they read in the media? Just because Google is saying that Gmail accounts of dissidents were the target, that does not necessarily mean that Gmail accounts of dissidents were the target. And if they say that they "secretly" negotiate with the Chinese government, well, that does not mean anything either. I think Google have been facing a real threat to their IP and are now completely lost as to what to do: stay in China and live with the ubiquitous threat of being spied, or leave China and the massive growth story behind.

  26. Captain Thyratron
    Coat

    At least they weren't using

    Mosaic for OpenVMS.

This topic is closed for new posts.

Other stories you might like