Operation Aurora: Patch available, new evidence of China connection

Microsoft has responded very quickly turning around a patch for the 0 day exploit in Internet Explorer in approximately one week. This is impressive, as something as complicated as Windows with all of the language variants, service packs, etc is a very large QA effort. I recommend downloading and applying the fix as soon as possible.

Screenshot of Windows Update MS010-002

Joe Stewart at SecureWorks recently published some intriguing research into the ties back to China. In his blog article “Operation Aurora: Clues in the code” Joe notes some interesting CRC checksumming techniques utilized in the Aurora code.

The only reference published that ever refer to an algorithm that works the way this one does is from a Chinese research paper, published in Chinese, and almost all Google references to similar code are also Chinese.

This of course does not prove that it is a state sponsored piece of malware, yet it does strongly suggest that the author of the code is Chinese, or at least is able to read Chinese very well. It will likely be many months before all the details behind Google’s bold statements are known, but Joe’s research certainly gives Google’s accusations a stronger standing.

Shockwave logo

Today almost feels like patch Thursday. In addition to the Microsoft IE patch, Adobe Systems has released a patch for its Shockwave player today. My advice on this one is to re-evaluate whether you truly need Shockwave deployed on your computers.

One of the most effective strategies at having control of your environment is to reduce the threat surface. This means running the least quantity and diversity of applications and versions to simplify your approach to patching and security.

Shockwave has not been commonly used on the web for several years, with nearly all interactive sites moving to a purely Adobe Flash environment. If you do not have applications that require Shockwave, the best answer is to remove it rather than patch it.

Firefox logo

Mozilla also announced today the official release of Firefox 3.6. It has been jokingly called the proper way to patch for the IE vulnerability by several people on Twitter. While I use Firefox, Chrome, and Internet Explorer, central management and patching should be a serious factor in your decision of which browsers to deploy and support.

Like my comments on Shockwave, if you deploy Firefox you should have a plan for how you will monitor your endpoints and ensure you can deploy security updates. In 2009, there were more individual patches for Firefox than IE, so be aware of the potential maintenance burden.