We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Windows and Internet Explorer: all versions compromised

Microsoft leaves the door openA widespread but highly targeted cyber-attack shows that all versions of Windows can be compromised by a determined hacker - right now.

The consensus is that the attack came from Chinese-sponsored agents, using every trick they could to hack specific, profiled targets. These weren't your usual criminals aiming the daily blind scattergun at a huge swathe of Windows users, hoping to find those without anti-virus software, or running unpatched and outdated versions of Windows.

No, they pointed their laser sights at selected Western technology company staff, who were more likely running fully-patched versions of Windows and Internet Explorer. And, it's fair to suggest, with their corporate PCs fully equipped with modern anti-virus software.

And yet still they got in.

We'll leave aside the question of how Google got hacked, with its staff using Internet Explorer, when the online ad agency is pushing its own web browser promising good security.

The hackers used a combination of social engineering - for example, spoofing an email to appear to come from a trusted colleague - along with zero-day vulnerabilities in all versions of Microsoft's swiss-cheese browsing device, otherwise known as Internet Explorer.

‘Zero-day vulnerability' is of course a euphemism for ‘a barn-sized security hole in the software to which the maker is entirely oblivious'. The software maker's screw-up is discovered by a would-be intruder, who uses it to walk in and effectively own the computer.

The suggestion is that this particular attack was industrial espionage, with the aim of stealing corporate technology secrets - all without the target ever aware that their PC was leaking its juicy contents to a distant spy.

Microsoft is advising its long-customing sufferers to update their software, switch on data exection prevention (DEP), and run IE in protected mode.

But according to McAfee, the back door is exploitable, right now, on all versions of Internet Explorer and all version of Windows.

Including shiny new Microsoft Windows 7.

More useful advice for protection

Microsoft's advice recalls a certain strategy suggested for when danger approaches...

"Are you serious, sir?" said the barman in a small whisper which had the effect of silencing the pub. "You think the world's going to end?"

"Yes," said Ford.

"But, this afternoon?"

Ford had recovered himself. He was at his flippest.

"Yes," he said gaily, "in less than two minutes I would estimate."

The man sitting next to Ford was a bit sozzled by now. His eyes waved their way up to Ford.

"I thought," he said, "that if the world was going to end we were meant to lie down or put a paper bag over our head or something."

"If you like, yes," said Ford.

"That's what they told us in the army," said the man, and his eyes began the long trek back down to his whisky.

"Will that help?" asked the barman.

"No," said Ford and gave him a friendly smile.

-Douglas Adams, The Hitch-Hikers Guide to the Galaxy.

And McAfee and other security software peddlers needn't be so pious. We don't know what AV software the wounded companies had in place, but it hardly matters since anti-virus programs can be helpless against zero-day vulnerabilities in dodgy browsers.

IDG UK Sites

Microsoft smartwatch release date, price and specs rumours: Launching within a few weeks

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...