22nd January 2010
I'm sure most of you were subjected to warnings regarding an exploit in Internet Explorer earlier this year, which resulted in both Germany and France issuing warnings to web users suggesting they use an alternative web browser. The good news is that this exploit probably didn't affect most people. The bad news is it could have.
This attack was a combination of two different vectors; the first preys on users trust and ignorance of what they are doing, and the second a bug in Microsoft’s Internet Explorer. The attackers used a technique known as 'spear phishing', which is a highly targeted attack that leads users to a compromised website that, once visited, commences the second stage of the attack. Victims are normally chosen because of their access to privileged electronic information, such as bank account details or commercially or politically sensitive documents.
The second stage of this attack was, to put it bluntly, Microsoft’s fault. After the attack it emerged that Internet Explorer contained a programming error which allowed an attacker to inject their own code into the computer’s memory and then run it. The programming error in question came about because the programmer failed to check that the code they were using only used the memory it was supposed to use and not memory that contained critical bits of information.
Protection against this kind of exploit can come in a few forms; the first concerns the way things are programmed and the second the way users behave.
Firstly, programmers can use what is termed a managed language. This means that the computer itself takes care to make sure the programs that are running only use memory that they are supposed to. If something does go wrong the computer makes sure the program stops running before it can do anything evil. Fortunately this is the easy part, and at Xibis we always prefer to use managed languages wherever possible.
The next form of protection is easy to say but hard to implement: user education. This particular exploit used a phishing attack which lured the user into falling for the trap by making them trust that the trap was safe, so make sure the web site you're about to visit is www.bbc.co.uk and not www.bbc.co.uk.evil.com, and make sure the email you received unexpectedly really came from and not .
Fortunately modern browsers can also help by attempting to detect when a site is used for phishing. However, the key word in that sentence is modern! If you're using IE 6 then have a look at upgrading to Internet Explorer 8, Mozilla Firefox or Google Chrome, all of which come with protection against phishing attacks.