Blue Coat Security Advisory Regarding the Aurora (CVE-2010-0249)
Aurora (also known as Comele and Hydra) is an attack that exploits a Microsoft Internet Explorer (IE) vulnerability to cause a buffer overflow and then gain control of the user's computer with the same user rights as the local user executing the browser. An attacker could gain control over a vulnerable system using this exploit by tricking a user to visit a Web page whose content is crafted to exploit the vulnerability when it is downloaded and processed by Internet Explorer.
Microsoft indicates that the following Internet Explorer/Windows combinations are vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
This attack initially targeted only specific employees at a relatively small set of companies. The exploit code has now been publicly released, which increases the possibility of more widespread "public" attacks exploiting this Internet Explorer vulnerability. It is anticipated that these attacks would typically be done via a link in an email, in an instant messenger message, or on a compromised web page.
Microsoft released a special patch for this vulnerability on Thursday, January 21st as part of a "Cumulative Security Update for Internet Explorer (978207)". Details were made available through "Microsoft Security Bulletin MS10-002 - Critical". A link to the bulletin is available at the end of this security advisory.
How Blue Coat products protect its customers
Customers are advised to patch and maintain their OS and applications, such as Internet Explorer, to eliminate vulnerabilities as they are identified. But since this is not always possible, Blue Coat takes additional measures to secure our customers.
Blue Coat Labs research staff monitors and analyzes WebPulse traffic from five operations centers around the globe on an ongoing basis to identify and respond to web threats. At this time, all known Web sites that utilize this exploit are categorized as Spyware/Malware Sources or Spyware/Malware Effects; Web sites that are suspected of utilizing this exploit are categorized as Suspicious. Personnel in Blue Coat Security Labs are actively monitoring this threat via the WebPulse collaborative cloud defense with Web awareness provided by uniting over 62 million users. WebPulse uses multiple threat analysis technologies and the advantage of a hybrid design so that updates or additions to WebPulse defenses are immediately available to Web gateway and remote client customers - no updates or patches are required.
Blue Coat will continue to make WebPulse and WebFilter categorization adjustments to respond to this vulnerability as it evolves. When and if a new threat using this exploit is detected by the WebPulse collaborative cloud defense, Blue Coat will update WebPulse and/or the WebFilter URL database as needed to immediately protect all users. This process happens in a matter of minutes and is automatic for all customers utilizing the WebPulse cloud service.
Blue Coat customers using the optional inline ProxyAV threat detection solution with a choice of four anti-malware engines have an added layer of protection for SSL traffic and user authenticated downloads.
Actions Blue Coat's customers can take to increase protection against Aurora
There are a number of actions that Blue Coat customers can take to increase protection against Aurora and other malware threats. Blue Coat recommends that customers review these recommendations and implement those that apply to their individual situation.
- Enable WebPulse (DRTR) at the ProxySG. This enables Blue Coat to automatically provide customers with updated URL ratings for Aurora and other emerging threats within minutes of being detected by the WebPulse collaborative cloud defense.
- Enable the highest possible frequency of checks for WebFilter updates at the ProxySG. In conjunction with WebPulse real-time on-demand security intelligence to web gateways and remote clients, the most recent versions of ProxySG will also check for WebFilter updates every five minutes. Blue Coat recommends enabling this feature by enabling "Automatically check for updates" on the Blue Coat section of Content Filtering on your ProxySG. This allows any real-time cached security category ratings to be updated. For example a web site is first rated as Suspicious and minutes later changes to a Malware Source as research adds more intelligence on the web threat.
- Ensure your ProxyAV database and desktop AV products are up to date. Because Blue Coat ProxyAV partners and other AV vendors will be updating their databases to recognize threats using this vulnerability, it is important to be sure you are staying current with the latest releases from your vendor(s). ProxyAV can check for updates from every five minutes to 30 minutes depending on your setting.
- Upgrade Internet Explorer. Although Internet Explorer versions 7 and 8 are vulnerable to this attack, only Internet Explorer 6 has been targeted to date. In addition, newer versions of Internet Explorer include many additional security protections, some of which may prove useful against attacks utilizing this exploit.
- Deploy Internet Explorer patches when they become available. Microsoft has announced an out-of-band update to protect customers from this vulnerability. Blue Coat recommends applying this patch.
The following is a list of resources for tools and documentation that may be helpful.
- Microsoft Security Bulletin MS10-002 - Critical: http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx
- CVE-2010-0249 reference: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249
- Microsoft Security Advisory (979352): http://www.microsoft.com/technet/security/advisory/979352.mspx
- Microsoft Security Response Center (MSRC) announcement of out-of-band update: http://blogs.technet.com/msrc/archive/2010/01/19/security-advisory-97935...
- McAfee Threat Center - Operation Aurora: http://www.mcafee.com/us/threat_center/operation_aurora.html
- Sophos - Operation Aurora: http://www.sophos.com/security/topic/operation-aurora.html