Blue Coat Security Advisory Regarding the Aurora (CVE-2010-0249)
Aurora (also known as Comele and Hydra) is an attack that exploits a Microsoft Internet Explorer (IE) vulnerability to cause a buffer overflow and then gain control of the user's computer with the same user rights as the local user executing the browser. An attacker could gain control over a vulnerable system using this exploit by tricking a user to visit a Web page whose content is crafted to exploit the vulnerability when it is downloaded and processed by Internet Explorer.
Microsoft indicates that the following Internet Explorer/Windows combinations are vulnerable: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
This attack initially targeted only specific employees at a relatively small set of companies. The exploit code has now been publicly released, which increases the possibility of more widespread "public" attacks exploiting this Internet Explorer vulnerability. It is anticipated that these attacks would typically be done via a link in an email, in an instant messenger message, or on a compromised web page.
Microsoft released a special patch for this vulnerability on Thursday, January 21st as part of a "Cumulative Security Update for Internet Explorer (978207)". Details were made available through "Microsoft Security Bulletin MS10-002 - Critical". A link to the bulletin is available at the end of this security advisory.
How Blue Coat products protect its customers
Customers are advised to patch and maintain their OS and applications, such as Internet Explorer, to eliminate vulnerabilities as they are identified. But since this is not always possible, Blue Coat takes additional measures to secure our customers.
Blue Coat Labs research staff monitors and analyzes WebPulse traffic from five operations centers around the globe on an ongoing basis to identify and respond to web threats. At this time, all known Web sites that utilize this exploit are categorized as Spyware/Malware Sources or Spyware/Malware Effects; Web sites that are suspected of utilizing this exploit are categorized as Suspicious. Personnel in Blue Coat Security Labs are actively monitoring this threat via the WebPulse collaborative cloud defense with Web awareness provided by uniting over 62 million users. WebPulse uses multiple threat analysis technologies and the advantage of a hybrid design so that updates or additions to WebPulse defenses are immediately available to Web gateway and remote client customers - no updates or patches are required.
Blue Coat will continue to make WebPulse and WebFilter categorization adjustments to respond to this vulnerability as it evolves. When and if a new threat using this exploit is detected by the WebPulse collaborative cloud defense, Blue Coat will update WebPulse and/or the WebFilter URL database as needed to immediately protect all users. This process happens in a matter of minutes and is automatic for all customers utilizing the WebPulse cloud service.
Blue Coat customers using the optional inline ProxyAV threat detection solution with a choice of four anti-malware engines have an added layer of protection for SSL traffic and user authenticated downloads.
Actions Blue Coat's customers can take to increase protection against Aurora
There are a number of actions that Blue Coat customers can take to increase protection against Aurora and other malware threats. Blue Coat recommends that customers review these recommendations and implement those that apply to their individual situation.
The following is a list of resources for tools and documentation that may be helpful.
Rate this Page
Please take a moment to complete this form to help us better serve you.