Cheshire Cat Photo Blog(...said the Cat: 'we're all mad here....')

“We believe this attack is a watershed moment.” “We’ve never seen this level of sophistication on attacks targeting commercial companies that aren’t affiliated with a government or the defense industrial base.” – Dmitri Alperovitch, vice president of threat research at McAfee

I think that we may be approaching a time in which THE TRUE COSTS of using the hardware or software of any vendor will become public knowledge. There are COSTS associated with all of our choices in business. In the past, high-tech companies and others, like banks, have been able to hide embarrassing viral infections or security breaches by denying that they ever occurred or by sweeping the incident “under the rug” of internal secrecy. Only the very worst incidents that could not be concealed made it to the “press.”

A “MUST READ” article in CNET news, by Elinor Mills, quotes a Microsoft statement that:

“Internet Explorer was one of the vectors” used in the attacks that Google disclosed earlier this week, Microsoft said in a statement. “To date, Microsoft has not seen widespread customer impact, rather only targeted and limited attacks exploiting IE 6,” the statement said.

The vulnerability affects Internet Explorer 6, IE 7, and IE 8 on Windows 7, Vista, Windows XP, Server 2003, Server 2008 R2, as well as IE 6 Service Pack 1 on Windows 2000 Service Pack 4, Microsoft said in an advisory on Thursday afternoon.

Yes, I admit it, having my own business means that I no longer have to use ANY of these products above (and I DON’T), as I did when I worked in high tech in Silicon Valley, and was forced to, by (sometimes well-meaning, but otherwise technologically unsophisticated) management. If you have your own business and you STILL work for an idiot, it is a totally different problem. The term “vectors” has a special meaning for folks like me with advanced degrees in microbiology. This may be one of the examples of “art” (software engineering) imitating “life,” rather than the other way around!

The CNET article reveals the scope of the recent attack on Google and others. Chinese human rights activists were only SOME of the actual targets. CNET provides a link to another MUST READ article by Ms. Mills, and further states that:

“Source code was stolen from some of the more than 30 Silicon Valley companies targeted in the attack, sources said. Adobe has confirmed that it was targeted by an attack, and sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman, and Dow Chemical also were targets.“

It becomes a lot less concealable, and MUCH less “honorable”, to “bury” information about an attack on U.S. firms that originates in a foreign country. And software defects in our product choices become vehicles by which intellectual property (source code) can be (and was) stolen….

CNET provided important details from Microsoft on the nature of this particular software defect and ways to “mitigate” the attacks:

“Microsoft said the vulnerability in IE exists as an invalid pointer reference and that it could allow an attacker to take control of a computer if the target were duped into clicking on a link in an e-mail or an instant message that led to a Web site hosting malware. “It could also be possible to display specially crafted Web content using banner advertisements or other methods to deliver Web content to affected systems,” Microsoft said in the statement.

Microsoft is working on a fix but could not say whether it would address the issue as part of its next Patch Tuesday scheduled for February 9 or before.

Keeping the IE Internet zone security setting on “high” will protect users from the vulnerability by prompting before running ActiveX Controls and Active Scripting, Microsoft said. Customers should also enable Data Execution Prevention (DEP), which helps mitigate online attacks, the company said. DEP is enabled by default in IE 8 but must be manually turned on in earlier versions.”

Ah, there go those “ActiveX Controls” again! Have they actually been a major problem for their entire existence?

McAfee CTO, George Kurtz, wrote about the vulnerability earlier today in a blog post:

“As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property,” Kurtz wrote. “These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer.”

Dmitri Alperovitch, vice president of threat research at McAfee observed that:

“The attack was notable for its level of sophistication, using obfuscation techniques not typically seen in attacks on corporations, he said. It dropped about 10 different malicious files with different capabilities that were used at different stages of the infection and used crypto and other techniques to avoid detection, he added.”

Please read both excellent articles by Elinor Mills of CNET for further details of this ground-breaking attack that occurred over the holidays, when many companies had fewer staff on hand.

It seems pretty obvious to me that the days in which companies hid problems with their hardware and software choices (or denied them) are coming to an end. Such concealment and denial are no longer in the interests of our nation, or of the companies themselves.

(Note added on January 15, 2010: The exploit code for this attack has been released on the Internet, and the German federal security agency issued a statement today urging its citizens to use an alternative browser to IE until a patch arrives. [Yeah, the Germans are pretty smart.] (Note added January 19, 2010: The French, too…!) Meanwhile, the U.S. government, while NOT urging anything so sensible, plans to ask China for a formal explanation of the cyberattacks against Google and other U.S. companies. CNET’s Elinor Mills has a video on the subject of the attacks.)

(Update added January 23, 2010: Microsoft released a “cumulative critical” patch for the “Google attack” flaw in IE, along with  seven other “holes” in IE. )

(Note added January 16, 2010: You can download a version of Firefox [Mac or PC] in an International edition that “speaks your language” here. You can download a version of Safari for Mac or PC here. I use both, on Mac [of course!], at the same time. Most of my visitors on PC use Firefox. [Not an endorsement….])

-Bill at

Cheshire Cat Photo™ – “Your Guide to California’s Wonderland™”

You can view higher-resolution photos (*generally* 7-30 megabytes, compressed) at the Cheshire Cat Photo™ Pro Gallery on Shutterfly™, where you can also order prints and gifts decorated with the photos of your choice from the gallery. Apparel and other gifts decorated with some of our most popular photos can be ordered from the Cheshire Cat Photo™ Store on CafePress®. Both Shutterfly™ and CafePress® ship to most international locations worldwide! Framed prints and prints on canvas can be ordered from our galleries on imagekind® and redbubble®. All four locations are accessible from here. If you don’t see what you want or would like to receive an email when new photos are up on the site, send us an email at info@cheshirecatphoto.com.

©2010 William F. Hackett. All Rights Reserved.