Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 0-Day Flaw Used In Chinese Attack

Posted by timothy on from the zero-is-where-you-start-counting dept.

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

5 of 318 comments (clear)

  1. More than just IE by FalleStar · · Score: 5, Informative

    If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.

    "While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios." - George Kurtz

    So IE is partially to blame, but you can't just say that this is MS's fault.

  2. Not IE, Adobe's PDF Reader 0 day Flaw by Eyah....TIMMY · · Score: 5, Informative

    From an earlier /. article: http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars

    From the article in this post: The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks .
    I love the "probably"

    --

    It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
  3. Re:It's not stupidity by yuna49 · · Score: 5, Informative

    According to TFA, this vulnerability was in IE6.

    No, only IE 5.01 SP4 and IE 8 are not vulnerable without enabling "data execution prevention." The attackers apparently targeted IE 6, but nearly all other versions can be compromised.

    From TFA:

    "A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

    In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn't say when an update would be released that patches the vulnerability."

  4. Oh, but it doesn't count, right? by gillbates · · Score: 5, Informative

    Because according to Microsoft, system vulnerability is determined by the following formula:

    Vulnerability = (time of patch - time of discovery) * number of exploits.

    Clearly, since the vulnerability was never publicly discovered, no patch was needed, right? Clearly, since the exploit was never published, it was not a security risk, right?

    For years, those outside the FOSS community behaved as if an unknown or undiscovered (or rather, unpublished) exploit was not a security vulnerability for the purposes of calculating risk. Rather, we were led to believe, by MS and others, that only unpatched systems were vulnerable. For years, I watched as countless IT folks repeated the mantra that a fully patched MS system was just as secure as any other.

    It always seemed obvious to me, but apparently not to others, that risk should be calculated using not on the time of discovery and publication, but rather, upon the ship date of the software. (i.e., a vulnerability discovered 3 years after ship date, but patched a month after discovery means your system was vulnerable for 39 months, instead of only one as the MS method calculated vulnerability.

    I think Google is big enough that people will now recognize that system security is not just a matter of patch early, patch often, but also a characteristic of the entity behind the code. Despite what Microsoft marketing would have you believe, the company can't produce a secure OS because they understand neither the problem, nor even the question.

    The reason Linux is more secure than Windows is due not merely to the fact that it is open source, but also because those who work with UNIX understand the problem of system security. It doesn't mean Linux is perfect, only that it fares much better from a total-risk perspective. Microsoft never really grasped that security was a fundamental system design consideration, rather than a problem to be patched on the back-end of SW development. While they have *tried* to address the security issues (and have been somewhat successful, but only due to their brute-force efforts), they still have a product-design mentality which places ship dates above system quality, and usability above overall security. The fact that they still consider anti-virus software and constant patching a normal part of computing indicates they've failed to grasp the lessons learned of the past 3 decades.

    For Microsoft, security is a checkbox feature, not a way of doing business. Maybe, now that Google was compromised by a type of exploit Microsoft, et al, considered of minimal, if not zero, risk, the world will change its opinion of the acceptability of software requiring constant patches and add-on kludges (i.e. anti-virus sw) just to function normally.

    --
    The society for a thought-free internet welcomes you.
  5. Re:A major security flaw in IE? by rtb61 · · Score: 4, Informative

    http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html. The microtrolls are bad enough of the mods but leave the out and out lies alone it looks silly.

    --
    Chaos - everything, everywhere, everywhen