Zero-Day Exploitscritical

Operation Aurora IE Zero-Day: China Exploits Browser Flaw to Hack Google and 34 Others

The same Operation Aurora that breached Google via spear-phishing also used an Internet Explorer zero-day (CVE-2010-0249) as the technical exploit that allowed initial code execution. The zero-day was in IE 6 — Microsoft's most widely deployed browser.

Microsoft / Google / 34 Companies·2010·2 min read

Background

Internet Explorer 6 was the dominant enterprise browser in 2009, deployed on hundreds of millions of Windows machines. CVE-2010-0249, a use-after-free vulnerability in IE's handling of certain HTML elements, was unknown to Microsoft when Chinese attackers began using it. It enabled drive-by code execution — visiting a malicious page was sufficient to install malware.

The Attack

The zero-day was delivered via the spear-phishing link sent to Google's China employees (see Operation Aurora). The link pointed to a website hosting the IE exploit. The exploit achieved remote code execution without any further user interaction after clicking the link, installing a backdoor. The same exploit was used across all 34 targeted companies. Google disclosed that the zero-day was used, prompting Microsoft to release an emergency out-of-cycle patch.

Response

Microsoft released an emergency patch for CVE-2010-0249 on January 21, 2010 — unusually fast. The French and German governments issued advisories recommending users switch from IE. The UK government also issued warnings. Microsoft released IE 8 as the recommended alternative.

Outcome

The Aurora zero-day contributed to a significant decline in IE market share as users and organisations switched to Firefox and Chrome. The combination of sophisticated spear-phishing with a zero-day exploit demonstrated that even a single trusted link could be weaponised against any target.

Key Takeaways

  1. Browsers must be kept current — use-after-free vulnerabilities in aging browsers are well-known to attackers
  2. A single clicked link can be sufficient for full system compromise when a zero-day is involved
  3. Browser diversity in enterprise environments reduces the blast radius of single-browser zero-days
  4. Emergency out-of-cycle patches should be applied immediately — do not wait for scheduled patch cycles
AuroraIE6use-after-freebrowser zero-daydrive-by exploit

More in Zero-Day Exploits

2017critical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

2 min readZero-Day Exploits
2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits