Friday, January 15, 2010

Operation Aurora - Enabling DEP in IE

For now, Microsoft recommends enabling the Data Execution Prevention (DEP) feature in IE, and setting Internet security zone security settings to "high" as ways to protect against this attack. DEP, which is a default feature in IE 8, has to be set manually in earlier versions of the browser. A patch could be in the works as well, according to Microsoft.

And the wave of attacks out of China now has a name, too, courtesy of McAfee: Aurora. McAfee researchers, who say they discovered the IE zero-day flaw, believe Aurora was the internal name the attackers gave the operation -- it comes from the name they used for the directory in which their source code resided.

Dan Kaminsky, director of penetration testing for IOActive, who spoke with people familiar with the IE malware sample that was found, says that exploit works only on IE 6 XP, but it could be written to work "reasonably" on IE 7 and IE 8 XP. The flaw itself is a so-called dangling pointer bug, which is typically stopped by the DEP feature in IE, he says. "However, there are known ways around DEP on XP," he says.


Microsoft "Fix it" for Enabling DEP in IE

We have also created an application compatibility database that will enable Data Execution Prevention (DEP) for all versions of Internet Explorer. You do not need this database if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions. This is because Internet Explorer 8 opts-in to DEP by default on these platforms.

No comments:

Post a Comment