Update: On Tuesday, Microsoft announced plans to release a patch to its Internet Explorer Web browser, but the company has yet to detail when the patch will be released.
The code that was used to hack Gmail accounts in China is now publicly available on the Internet, and security experts are urging computer users throughout the world to be highly vigilant until a patch can be developed.
The hack involves Internet Explorer 6, the browser that came with the Windows XP operating system that, while outdated, still powers millions of businesses and home computers and is now dangerously compromised.
On Thursday, the code that was used to hack Gmail accounts in China and led Google to threaten to close shop there was posted to malware-analysis Web site Wepawet. By Friday, security site Metasploit had posted a demonstration of just how easily the exploit can be used to gain complete control over a computer.
Metasploit is intended to let security professionals test out security threats.
"Normally these frameworks are designed for the good guys for our assessment. The problem is, it's open source and available to anyone," said Michael Gregg, head of Superior Solutions Inc., a Houston-based cybersecurity consultancy.
"And the scary thing about Metasploit is, anybody can pull this stuff down and anybody can launch it. It's not the skilled hacker working for the government, it's the kid next door."
George Kurtz, CTO of the security firm McAfee, agrees. "The public release of the exploit code increases the possibility of widespread attacks using the Internet Explorer vulnerability," he wrote late week. "This attack is especially deadly on older systems that are running XP and Internet Explorer 6."
Hacks based on this security flaw led Google to threaten to drop its www.google.cn Web site and leave China last week. The Internet behemoth believes these security intrusions are a quest not just for political knowledge but also for intellectual property. Experts warn that as many as 30 other companies have been hacked, ranging from software firms like Adobe and Juniper Networks to Northrop Grumman -- a major U.S. defense contractor and manufacturer of nuclear-powered aircraft carriers and the Global Hawk unmanned drone.
Microsoft has yet to patch the hole in IE 6, a flaw so serious it's prompted the German government to suggest citizens avoid IE. Microsoft has posted a security advisory detailing the problem, and urging users to upgrade to newer browsers.
Microsoft's next scheduled security update is Feb. 9 -- so unless the company expedites an "out of cycle" security patch, more than three weeks will elapse before this vulnerability is fixed. On Tuesday, Microsoft announced plans for just such a patch, though the company has yet to detail when the patch will arrive. Until then, security experts urge vigilance, and not just for government agencies and huge businesses like Google.
"This is something that affects businesses in the U.S. as well as individuals. The Internet knows no borders," Gregg warned.
Gregg said that years ago, software companies had months to solve a security flaw after it was uncovered. Today, it's hours. Protecting yourself and your business is substantially harder today than it was in years past, too, due both to the accelerated pace of these exploits and also to hackers' reliance on social engineering, where an individual is tricked into providing confidential information.
Gregg calls it spearphishing: "They target the user with an e-mail that would appeal to them, one that leads to a site that launches malicious code onto your system." And the IE 6 exploit makes it particularly easy to slip that code on your computer.
Staying on top of current security patches, using firewalls, updating Web browsers and running intrusion detection software is the first part of staying safe. But since most attacks rely upon spearphishing or some similar end-user exploit, Gregg suggests a training program that would warn users that if an e-mail link looks too good to be true, it probably is -- don't click on it.