Microsoft first knew of the bug used in the infamous Operation Aurora IE
exploits as long ago as August, four months before the vulnerability was used in
exploits against Google and other hi-tech firms in December, it has emerged.
Redmond’s security gnomes finally got around to patching the exploit on
Thursday. Microsoft’s advisory accompanying its cumulative update for IE
credited Meron Sellem of Israeli firm BugSec for reporting the HTML Object
Memory Corruption Vulnerability (CVE-2010-0249), the zero-day vulnerability used
in the now infamous attacks.
BugSec’s bulletin states that it reported the bug to the software giant on 26
August. The bug affected IE 6, IE 7 and IE 8 (the latest version), but the hack
attacks against Google et al targeted IE 6, a browser first released in 2001.
Exploits involved tricking users of vulnerable browsers into visiting
booby-trapped websites. These sites downloaded the Hydraq backdoor Trojan and
other malicious components onto compromised PCs.