Slashdot Mirror
IE 0-Day Flaw Used In Chinese Attack
bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."
This is unheard of!
"The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
Or a firewall.
Clearly instead of (or at least as well as) pulling out of China, Google should stop supporting MSIE.
And declare cyber-war on Microsoft. :P
How exactly would a firewall prevent an IE exploit? Maybe a good one would recognize known exploits, but this clearly wasn't known.
Using Firefox would have prevented it and still spared the needless expense of fashionable but mediocre and overpriced hardware for basic office minion tasks.
"Common sense will be the death of us all"
If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.
So IE is partially to blame, but you can't just say that this is MS's fault.
Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.
From an earlier /. article: http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars
From the article in this post: The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks .
I love the "probably"
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
Looks like the Chinese are doing a better job of trying to "fucking kill Google" than Ballmer can with their own software!
Some firewall software, such as ZoneAlarm, monitors outgoing connections being made unexpectedly by individual processes running on the host machine, in this case, likely the malware that was installed via the exploit in the first place.
I hear the Chinese have one of those...
"Common sense will be the death of us all"
I am shocked that the "Senior tech leaders" are running IE...I thought only nubs ran that browser. It is their own fault. They should have known better. Not that FF or Chrome etc are impenetrable, but at least your chances of "Something Bad Happening" are less than 100%.
This is a reply to a -1 Redundant post about how using a Mac could have prevented this, but there's a critical known flaw for Mac, iPhone, Apple TV, etc. that hasn't been fixed for seven months now...
From the McAfee writeup: "So far the attacks we've seen using this vector have been focused on Internet Explorer 6." The stupid but obvious question: why are people at these companies using IE6?
I recall MSFT allowed the Chinese government to look at Windows source code a few years back. I wonder if the vulnerable IE6/7/8 code was part of the code provided to the Chinese government, but IE5.4 (not vulnerable to the latest attack, apparently) didn't include the problem code? This is something that can be checked. It could be an indication of whether the Chinese used the source code inspection as a road map to identify vulnerabilities for attacks like these.
I've heard that PDFs were used, and that's the one that sounds the most logical. Whenever I've seen attacks against my network from the Chinese, it's always been in the form of malicious spear-phished PDFs.
Whatever they actually used against Google, there's not one easy solution. You can't just say that they should have used Firefox, because then the attackers would have exploited some random Firefox add-on that some people were using. I'm sure Google employees use every browser out there throughout the company. Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all.
Seriously - makes no sense.
Do you have ESP?
Firefox breaks on some of the things I've had to work with. Just having it installed can cause them to not work correctly also.
-]Phreak Out[-
lame software for travel expense reporting
other lame software for time cards
All vendors of such products are evil scum in need of torture.
An obvious solution is available for people nerdy enough to handle the concept of a virtual machine. VMWare player is even free, though the XP license is not. Getting non-nerds to deal with a VM is impossible.
"Personal firewalls" are utter bullshit that can be trivially bypassed by malware. I can, to give but one of many examples, inject a DLL into Internet Explorer and do all my network communication through that.
Sadly, microsoft doesn't seem to have anything you can do to fix this.
http://www.microsoft.com/technet/security/advisory/979352.mspx
It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.
What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.
'0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.
I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?
Or any other browser. Like, for example, Chrome.
please give an example of something that breaks with firefox simply installed. on any OS.
IE shows no sign of vanishing from the corporate landscape
I work at a big company that takes an enormous number of precautions to secure and protect the confidential information of millions of people. And we still use IE6 with no sign of changing any time soon.
Some firewalls do inline malware checking
Maybe for the same reason that Slashdot uses a 3Dified version of the IE5 logo as an icon for Internet Explorer?... and this on a website where people bitch endlessly about IE6, let alone something even more ancient...
They did it for the lulz.
Do what thou wilt shall be the whole of the Law
Does the fact that Mozilla has patched Fx mean that I am compromised using any browser but Fx on my mac? How about Chrome?
I am just about to buy a new laptop and I think this just convinced me to go Linux.
I though browser vulnerabilities were supposed to be damaging to the person using the browser, not the other way around. If a "flaw" in a browser allows one to hack a site, I consider that a feature, not a vulnerability. Sounds like the flaw is in the server, not the browser.
E-ink, mayyybe.
you mean mac's??
If you mod me down, I will become more powerful than you can imagine....
Firefox has had multiple remote code vulnerabilities. As has Safari. As has Opera. Yawn.. No single piece of software is going to prevent targeted attacks. Sorry OSS cheerleaders, its true.
What I want to know is.. How the fuck did they get Google employees to click on random links in an email?!
And that approach is often handy; you can piggyback on the proxy settings already configured in IE.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Some firewalls also download information from the future about 0Days.
Make no mistake, China is agressively attacking foreign systems and common software. They are stockpiling these zero-day exploits as potential weapons. They use one until it's discovered and patched, then wait until they have another high priority and then unwrap the next one.
When you see Symantec or Microsoft reporting an "undisclosed source" on new vulnerabilities, it's usually our own government that reported it after investigating a compromise. It's damn scary just how far the Chinese have wormed into the US corporate and military systems. For now they are content to quietly steal data and technology, but we're in deep shit if China decides to turn malicious. They have the power to level the US financial systems, military supply lines, utilities, etc which would quickly ruin the US. The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
Inquiring minds want to know....
Arciemowicz said the vulnerability could be remotely exploited using booby-trapped PHP code on a website, among other methods.
What? How would 'booby-trapped PHP code' on a website crash a machine? PHP is executed on the server, not on the client. If it can be exploited with JavaScript and HTML, I'd be interested in seeing an example of that -- as opposed to a C program... yeah, okay, an exploit, but I'd have to, oh, run a program I don't trust, which is always a security flaw...
Yeah cause as a web company I bet google only runs Windows. Are you that thick?
Do you think google got compromised by an IE 0day? I doubt that. it was likely one of the many MANY other buggy pieces of code that everyone has installed all over their companies. Remember every year people spend their firefox 0day and pwn to own lust like they spend their IE and Safari 0day, which means browser bugs are typically worh less than 2k, which is on the low end of the vulnerability market.
Internal sandboxes don't protect you from having the compromised instance of IE being used to log passwords and steal other local information, nor does it prevent the compromised instance of IE from being a botnet node during the current session. Also, since IE still has to save files, load and execute programs, and so on, the strongest sandbox they can create is a leaky condom.
And security is like sex, once you're penetrated you're f***ed.
Hmm, I wonder why the spammers aren't trying to attack Google? (or maybe we just dont know?)
If they could get into Google's codebase and find a way around anti-spam measures, that would mean tons of cash for them.
Because according to Microsoft, system vulnerability is determined by the following formula:
Vulnerability = (time of patch - time of discovery) * number of exploits.
Clearly, since the vulnerability was never publicly discovered, no patch was needed, right? Clearly, since the exploit was never published, it was not a security risk, right?
For years, those outside the FOSS community behaved as if an unknown or undiscovered (or rather, unpublished) exploit was not a security vulnerability for the purposes of calculating risk. Rather, we were led to believe, by MS and others, that only unpatched systems were vulnerable. For years, I watched as countless IT folks repeated the mantra that a fully patched MS system was just as secure as any other.
It always seemed obvious to me, but apparently not to others, that risk should be calculated using not on the time of discovery and publication, but rather, upon the ship date of the software. (i.e., a vulnerability discovered 3 years after ship date, but patched a month after discovery means your system was vulnerable for 39 months, instead of only one as the MS method calculated vulnerability.
I think Google is big enough that people will now recognize that system security is not just a matter of patch early, patch often, but also a characteristic of the entity behind the code. Despite what Microsoft marketing would have you believe, the company can't produce a secure OS because they understand neither the problem, nor even the question.
The reason Linux is more secure than Windows is due not merely to the fact that it is open source, but also because those who work with UNIX understand the problem of system security. It doesn't mean Linux is perfect, only that it fares much better from a total-risk perspective. Microsoft never really grasped that security was a fundamental system design consideration, rather than a problem to be patched on the back-end of SW development. While they have *tried* to address the security issues (and have been somewhat successful, but only due to their brute-force efforts), they still have a product-design mentality which places ship dates above system quality, and usability above overall security. The fact that they still consider anti-virus software and constant patching a normal part of computing indicates they've failed to grasp the lessons learned of the past 3 decades.
For Microsoft, security is a checkbox feature, not a way of doing business. Maybe, now that Google was compromised by a type of exploit Microsoft, et al, considered of minimal, if not zero, risk, the world will change its opinion of the acceptability of software requiring constant patches and add-on kludges (i.e. anti-virus sw) just to function normally.
The society for a thought-free internet welcomes you.
Umm. yeah, the problem is that you can't (easily) uninstall IE.. and Acrobat Reader can be convinced to embed it.
How we know is more important than what we know.
It's not a flaw but the built-in back door promised by MS to the gov't.
The purpose of writing is to inflate weak ideas, obscure poor reasoning, and inhibit clarity....Calvin
If the Chinese dare do it quasi-officially, I dare not think about the amount of corporate espionage that uses the same tools.
The Cloud - because you don't care if your apps and data are up in the air.
... web sites continue to not warn their IE users about the security vulnerabilities in the clients those users are running. They could warn those users each time they visit with IE. But they don't. It's time the webmasters of the world start to do something about the problem and put a big full page notice in front of all IE based visitors warning them about the troubles with IE and urging them to switch to a safer browser (and give some links, too).
now we need to go OSS in diesel cars
There's not really a good way around it. The problem is that for real security separation, you are going to have a lot of "Can I have permission to do this?" type requests. That's the only way it works properly. If you implement ways around it, then other programs can make use of that. A good example would be the solution some Linux distros take to sudo/root type stuff. If you are configuring things, you often get asked a lot to escalate and people get mad about it. So instead, when you escalate, they cache your credentials for 10 minutes and auto escalate as needed. Nice and easy... Except that removed an amount of security provided by having different account levels. Now an evil program can run as a normal user, which doesn't pop up a warning and just wait in the background, then when something else escalates, it uses that to get in.
There's also the problem that there's no way to differentiate good from evil programs. So if you design your system to only ask on potentially dangerous things, well it'll still get ignored because legit programs will need it. You say "Ok we are only asking for things that modify system files." However they then get asked for device drivers, DirectX updates, and so on.
Unfortunately I don't know that there is a good solution for non-technical users. Reducing warnings doesn't seem to help, they ignore them no matter how few there are. They just click "yes" on everything because they want to OS to stop bugging them. It never occurs to them there might be a reason for asking. Really I think the best that can be done is just to have proactive blocking software like virus scanners. It's not perfect, but it is as good as it will usefully get with clueless users.
I assume he means PHP code on a Mac OS X server running Apache or something. Some second hand distribution of a PHP application or distributed in a user contributed patch.
I've lost all my marbles except one & It's fun to test angular & centripetal acceleration in my skull
Yeah? They are talking about crashing/breaking into the server running the booby-trapped PHP code (eg. some remote user feeds funky numbers to a PHP application which then crashes the server or whatever).
Theoretically any application on OSX that uses strtod or gdtoa with user supplied input could be compromised. It's possible that some Javascript engines use those functions.
Not that they got access to the source, that is unsurprising, MS shares their source with governments, universities, and so on. However I doubt the Chinese scoured the IE code to find security flaws.
You find that for major projects, security flaws are most often not found looking through the source, but rather testing against a running program. Why? Well because there were always a bunch of skilled programmers that looked at the source, and they didn't see anything. As such, it isn't so likely you'll see anything. It isn't as though there'll be a function that says allowExploit() in there. The bugs are there precisely because they are hard to see, they require the interaction of individual units in unexpected ways.
This is why you'll find that even major OSS projects get hit. BIND is a good example. Back in about 2000 there was a security hole in it that affected every version ever. Somehow, it had been in there and nobody had noticed it. It was found not by a code audit, but by messing with a running DNS server and it doing something unexpected. Once the problem was found, then the programmers could figure out where to look and fixed it quickly.
Well you have to remember that the MS code is highly audited. MS has lots of skilled programmers who work on it, and it also goes to other places, like universities and such, that look over it.
My bet is that this was discovered on a running copy of IE. They were either doing security testing, or perhaps just stumbled across it by accident.
Personally, I like Foxit, but it can't do everything Acrobat can. You can get PDFs it doesn't work with correctly (or at all). Also, how useful that is as a widespread tool is questionable. While Foxit hasn't had many reported vulnerabilities is that because it truly has less, or is it simply because nobody is looking? If everyone switched, it would certainly fall under heavier attack, and perhaps you'd then discover that it is even worse.
So while it is a solution for you as an individual, it could very well do nothing if everyone did it as an overall solution.
There's also the problem that there's no way to differentiate good from evil programs.
Indeed. This problem comes up again and again with a great many tools.
The only difference between a scalpel used for healing and a scalpel used for murder is the man holding the knife.
-kgj
This is a real mysterious thing for me since I enable DEP in all kinds of configurations, even including Virtual Machines. I use Windows mostly for critical/complex device driven things like phone firmware updates, backups which means dozens of drivers installed.
I also print via Bonjour under Windows, using a Airport USB shared Epson Laser printer which has a very complex driver.
There hasn't been a single issue I have seen regarding DEP being enabled for all programs. Even AntiVirus programs doesn't complain.
So, as we all know, some companies are "more equal" (look to Adobe/Carbon/OS X), which product likely prevents Microsoft from enabling it by default?
According to Wikipedia, Apple enabled DEP like technology back in OS X 10.4.0 days and nobody even noticed it. I am not seeing any mysterious crashes, performance issues even with software based DEP. So, why on earth DEP is defaulting to off?
Incoming data exploits IE, owns machine, turns firewall off.
THEN starts opening connections to the internet.
Next.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Well let's see here, how about we look at Firefox 3.0's list of vulnerabilities from Mozilla:
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
Lotta red on there, and red means "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
How about 3.5? Hasn't been out as long:
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
Less over all, as you'd expect, but seems an even greater percentage are critical risk.
Seems to me Firefox has plenty of holes, with new ones getting discovered all the time. I mean please remember 3.5 has been out for about half a year. There's been 7 updates, 5 of which have addresses critical problems, often multiple ones.
So it seems that indeed people ARE finding holes in Firefox. Mozilla is doing as they should and fixing them, but please let's not pretend like there are plenty there that have needed fixing.
Using IE6 is like using Firefox 1. Are you feeling lucky?
It's one thing to use an older OS (XP), but to use a browser that is older than many of those on slashdot, that's quite another.
That's why you should install XP AntiVirus 2010.
What the also used in conjunction with it was the old "hey, click on this" security hole. NPR reported that they sent out "convincing" e-mails and got the morons to click on it. Who cares if it autoinstalled with a 0 day flaw by visiting the page. That wouldn't have happened if the stupid people hadn't fallen for the same old e-mail tricks.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Many of those on Slashdot are younger than 9 years?
The Tao of math: The numbers you can count are not the real numbers.
I love the article they cited for their browser data - which the author used a company that publishes data that ComputerWorld cannot seem to understand...
Browser Stats
Check it out... according the xpnet's graph, IE is used on 80% of the systems, and Firefox on 48% (roughly, from estimating the bars on the graphs). That means... what? The only thing i can think of is it means that 48% of the users/systems are running Firefox - while also running IE (hmmm... Windows Update or other reasons?)
StarTrekPhase2 - The Five Year Mission Continues!
make your xhtml1.1 page with a .xml extension.
See http://kissws.com/ in any browser beside IE. You'll get the page. With IE, you'll get something else. And there's nothing you can do to coerce IE to show it as a web page. So you'll have to switch to another browser.
"Piter, too, is dead."
McAfee has just announced their latest product, Sino-Cyber Protection Suite...
(There is supposed to be a Sarcmark® here, but my $1.99 check hasn't cleared, yet...)
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions.
To my knowledge, DEP is a setting in Windows, not in IE. Does Microsoft not know it's own product or is this some different setting?
Friends don't let friends use Internet Exploder.
That name for IE just makes me laugh.
Why is the leaking of Google data dependent on a flaw in a browser ? That doesn't sound an awful lot like defensive, secure programming on Google's side to me.
Religion is what happens when nature strikes and groupthink goes wrong.
There is a lot of unverifiable assumptions in the article, and I cannot see how the 3 things are linked here: Google/China/IE 0day ?
Frankly, do you believe Google uses IE or even Windows ?
And what kind of sites are infected with this 0day flaw ?
Sure, if the employees surf for porn or warez, they should be blamed.
Also, if I were the chinese government, there is an easier way to infect computers: insider employees.
They can simply plug an USB key and infect the computers.
Check your maths. I know that IE was available for my DEC Alpha back in the late 90s, so a back-of-a-fag-packet calculation makes it at least 11 years old. (And it was IE2, IIRC. And of course, the Alpha lagged behind other architectures.)
Also FatPhil on SoylentNews, id 863
"we're in deep shit if China decides to turn malicious." - by fluffy99 (870997) on Thursday January 14, @09:10PM (#30774326)
Not really. Not if companies & their LAN/WAN security setups, ESPECIALLY @ THE WORKSTATION & SERVER LEVEL, this way ->
----
HOW TO SECURE Windows 2000/XP/Server 2003, + VISTA (& beyond), and, make it "fun-to-do" via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=b35dfec0da75d7dab52dab8b321d373e&showtopic=2662
----
It works, if it is followed TO-THE-LETTER, & implemented properly!
A testimonial of its results also? Here is one:
----
http://www.xtremepccentral.com/forums/showthread.php?t=28430
PERTINENT QUOTE/EXCERPT:
"...recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual. Now I don't recommend this for the average joe, but it if can work for a kids PC it can work for anything!"
and
http://www.xtremepccentral.com/forums/showthread.php?s=10f9ba9ad5ff990aaae1e7ec91f593a2&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)"
Thronka - forums member @ xtremepccentral.com
----
Especially if users are EDUCATED vs. these kinds of threats + others (but, per what happened here? It's useful, specifically these kind, where 'social engineering' & PUNY TRICKS like a malscripted .pdf file is used).
I covered ADOBE PDF EXPLOITS THERE, & HOW TO STOP/STALL THEM, & YEARS AGO NO LESS (2006) + FAR MORE & how to work around or protect one's self vs. them... & guess what? IT ACTUALLY WORKS!
By the by:
I actually wrote the FIRST "Security & Speedup guide" for Windows (1997-2001 -> http://www.neowin.net/news/main/01/11/29/apk-a-to-z-internet-speedup--security-text & it did very well for its day, back in 1997 for NTCompatible.com (& that's Neowin's "take" on it, an excellent rating no less in that URL I just posted)...
AND, that guide is now carried forward to today & does well there in the URL above from TECH CONNECT MAGAZINE, & elsewhere online as well... because it actually WORKS & well!
(Today, vs. my older guide's models? It is mostly on security now though, more than speed, because that IS the "bigger problem" out here nowadays))
So far, it's done to the tune of over 250,000++ views online, being made an "Essential Guide" or "Sticky/Pinned" thread, or "most viewed" or "5/5 s
His maths are fine, he was replying to a comment that mentioned IE 6, which was released side by side with Win XP(2001). Now IE 1 has been available since 95 or 96.
And that has been used by the Chinese to gain access to TV's all over the US?
Misleading title, should be IE 6.
And most security flaws are due to the programming language used. Isn't it time to use another language? it even makes economic sense to CREATE an new language, since it will be used in so many projects afterward. Here are some of the vulnerabilities:
-Integer overflow, crash in libtheora video library
-Memory safety fixes in liboggplay media library
-Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
-Upgrade media libraries to fix memory safety bugs
-Heap buffer overflow in string to number conversion
-Heap buffer overflow in GIF color map parser
-Crash in proxy auto-configuration regexp parsing
-Crash with recursive web-worker calls
-TreeColumns dangling pointer vulnerability
-Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
-Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
-Heap overflow in certificate regexp parsing
-Heap/integer overflows in font glyph rendering libraries
See what are the errors? buffer overflows, integer overflows and out of bounds array accesses. This is because the language used to program this monster of a project does not handle correct overflows and out of bounds indexes.
How many billions of dollars should be lost in security problems before we realize that a major problem in writing secure software is the programming language? (please no 'it's the programmer's fault stupid' comments. The point here is to help the programmer community write secure programs, not promote the few god programmers that know how to do it without introducing any security problem).
You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"
... Windows XP,
Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 are affected."
Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:
"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."
Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:
'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'
At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:
"... Internet Explorer 7 and Internet Explorer 8 on
At present, here is the full, confusing paragraph from that Microsoft web page:
"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."
For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.
It seems China is always pulling this kind of thing. And they get away with it because their government not only protects them - it backs them up with resources.
I say Google should pull out of there, but only after unleashing some attacks of its own.
And when exactly has google EVER been the default search engine on IE? When google started, IE didn't have a setting to change default search engine and yet word of mouth got millions of IE users to set their homepage away from MSN to Google.
Google blocking IE would probably hurt them (although if it worked out, the profit would be enormous) but not for the reason you give.
I think you need to read up on history.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Many eyes is no fallacy.
Just the POSSIBILITY helps clean up the code. This is why open source has fewer potential bugs per KLOC than closed source programs analysed under it.
Alternatively, please explain why having 1000 randomly interested people doesn't help at all compared to 10 interested people.
Who would be at the end of the cause of an attack against Americans, Microsoft of course!
This should be their problem, send them the bill for the damages.....
they might start thinking twice about pushing their scrubby IE on every one!
Long live FF!
DEP makes exploitation of the flaw much harder to do and the exploit that was used does not work with DEP enabled, but that does not mean that the underlying vulnerability can't be exploited with DEP enabled. It's just much harder to do. Even Microsoft admits that:
from the security advisory:
This vulnerability is more difficult to exploit successfully if Data Execution Protection (DEP) is enabled for Internet Explorer.
Both have deep economic interests, even taking the more benign view, to induce self deception. Sorry, the assertions may all be true, however, I would be more comfortable believing the blame if it came from a more independent group.
Adobe, see it's not me and McAfee take that MS for stealing our business. Perhaps those are not the primary motives this time, nonetheless I find it hard to believe they are not present. MS screwing up and denying it also would be no shock, but I partially withhold judgment. I suggest others consider doing the same.
....Nope; Windows 7 isn't going to have any of the problems that any of the previous Windows versions had. Nope-nope-nope....
http://movies.apple.com/media/us/mac/getamac/2009/apple-mvp-broken_promises-us-20091023_480x272.mov
(Mad cackling ensues....)
Regards;
some firewalls are much more resiliant to malicious attempts to access the internet than junkware like zone alarm ( see http://www.matousec.com/projects/proactive-security-challenge/ for a review of how well firewalls prevent unwanted access, rather than just block standard requests )
This one time, I was at a bank getting hooked up with a savings account. The friendly bankerperson doing the paperwork with me said "Wow. I've never seen anyone actually read the form before signing it."
You would think that the idea of handing hundreds or thousands of dollars to total strangers who promise to take good care of it would motivate people to cast their eyeballs over some turgid prose, but it doesn't. I don't think there's anything that can motivate anyone to read anything *especially* warnings that most of the time don't result in the machine halting and catching fire.
"The Crystal Wind is the Storm, and the Storm is Data, and the Data is Life"
Why do everybody concentrates on blaming IE and Microsoft.. this attack was to Google.. and I thought they only hired smart people. And they even have their own BROWSER!! so why the hell was anybody using IE inside Google? I mean if they need to test their things for IE that's alright, but browsing other stuff... then the idiot who did that should be punished... Finally i get there were other vulnerabilities exploited, but this specific one shouldn't happen inside the "company that leads the future"...
And you can't prevent IE from running by locking down iexplorer.exe either.
Great setup. Thanks. It is less secure because it is not really triangular, and thinking you can just tell management it may as well be because it appears that way from the road, and then crossing your fingers and hoping nobody looks at it from a different perspective and sees the gaping hole, is what we security experts call security through obscurity ;-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
And IE 7 and IE 8. Therefore we should go back to IE 5.5 it's more secure.
The most dangerous drug
Yes, but not used in Chinese attack.
The folks at VUPEN have found a way to bypass DEP as long as javascript is enabled.
Why do everybody concentrates on blaming IE and Microsoft.
When I say "you shouldn't use IE", I'm not saying that to punish Microsoft, I'm saying it to help you.
why the hell was anybody using IE inside Google?
Oh, you understand that as well. Good.
I even have a fancy name to go with my job description, a Networked Systems Architect. Now i'm just a regular guy responsible for pulling on the purse strings of a few dozen good sized customers that need IT solutions, but i've noticed that other than a pay site called experts-exchange, there is no unified way for IT to communicate with developers, it's all "pay this" and "support contract" that. What i don't get is that if "IT" is going to implement "Developer" solution, shouldn't there be an open bridge of communication between "IT" and "Developer" for all computerized systems? Like a Facebook meets Wikipedia, top half is the solution i searched for, bottom half is are for communication, we all mod each other up or down, but the information is there.
Because ultimately nobody cares how it works, but the guys in charge of making things work could make it easier on themselves.