IE 0-Day Flaw Used In Chinese Attack

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

Re:Using Macs could have prevented this!

Or a firewall.

You know what this means

[Arancaytar]

Clearly instead of (or at least as well as) pulling out of China, Google should stop supporting MSIE.

And declare cyber-war on Microsoft. :P

Re:You know what this means

[cstdenis]

Why is Google even using IE? They have their own web browser. They should be eating their own dog food.

Re:You know what this means

[Haymaker]

Why is Google even using IE? They have their own web browser. They should be eating their own dog food.

Google hardly even uses Windows AFAIK. The IE vulnerability victims are likely the people who had their accounts attacked.

Re:Using Macs could have prevented this!

How exactly would a firewall prevent an IE exploit? Maybe a good one would recognize known exploits, but this clearly wasn't known.

It's not stupidity

[liquiddark]

Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.

Re:It's not stupidity

[liquiddark]

You might think that, but try supporting a massive suite of web applications that all have their own browser ticks, all of which were critical for something just shy of a minute, but which are maintained because retiring one would cause one guy (who always, somehow, happens to have the necessary clout) to die of unproductivity. Until you've lived in that situation for years on end it is wise to withhold judgement.

Re:It's not stupidity

[Carnildo]

Given the opportunity, I'd make everyone ignore a half dozen warnings.

Fixed that for you. Warning overload is one of the biggest problems facing computer security today. Since so many of the warnings the average user is bombarded with are meaningless, the genuine threats get lost in the noise and are ignored.

See also: The boy who cried "wolf".

Re:It's not stupidity

[LingNoi]

Then you go talk to the boss who doesn't care about what you're saying. He then tells you to stop creating problems and do your job fixing the damn computer.

Re:It's not stupidity

[mcrbids]

The hard part is to understand just how long it takes to get a bug fixed!

I'm a developer. I write code, lots and lots of code. I'm responsible for a FARKING HUGE pile of code that I maintain for a vertical app with over 100 good-sized customers at a small software company. Our developers crank out code - reams and reams of code! we crank through the bugfixes like there's no tomorrow, and the speed of development is somewhere between crazy and insane.

But, when you leave this frenetic pace of development, when you leave the zone of developers, and enter the realm of corporate America, you find a completely different world inhabited not by crackerjack coders, but by "IT". People who don't write code, who don't craft solutions, and for whom a bug is a big deal.

These people don't create solutions, they implement them. They spend lots of time doing research. Addressing a single bug can take days, maybe weeks of time, and certainly not hours! And given this very high cost of bug management, being conservative is suddenly very valuable!

So, when we decide to switch, for example, from Firefox to Chrome, the only consideration is the bugs we'll find, and any we find we can take care in anywhere from hours to minutes, because we wrote the code in the first place, and it's not a big deal to fix.

But if you didn't write the code, if it's all gibberish to you anyway, and it's your job to get stuff to work anyway, you become very, very conservative very quickly. A solution may work with IE 6, and may only need a few CSS declarations and maybe a tweak to the .js file to work properly with Firefox/Chrome/IE8, but if you don't know how to make those slight changes, you don't change a goddamn thing.

Slashotters and other coders would do well to understand these people, as they are many and often in control of the purse strings of potential clients! They are the logical oppositve of the developer: risk averse, terrified of change, and work to avoid anything "interesting" anywhere possible.

Re:A major security flaw in IE?

Just keep using mainstream Microsoft products and acting surprised when this happens. At least the rest of us can derive some amusement from your insistence that "Microsoft == high-quality" because it has a recognizable brand name.

Re:More than just IE

[calmofthestorm]

Even if it were 100% microsoft, zero-days happen. The only problem is that with MS, they're 31 days, not zero days.

?Senior?

I am shocked that the "Senior tech leaders" are running IE...I thought only nubs ran that browser. It is their own fault. They should have known better. Not that FF or Chrome etc are impenetrable, but at least your chances of "Something Bad Happening" are less than 100%.

Re:?Senior?

[ravenspear]

I would be more concerned that senior tech leaders are actually clicking on links in malicious emails than the fact that they are running IE.

Re:?Senior?

[Runaway1956]

And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.

Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.

Re:?Senior?

[Runaway1956]

I'm repeating myself from another story here on slashdot - but, if it's only the "unwashed masses", they why does Corporate America still lose and/or spend billions to malware and/or hacking?

And, I'll note here, I said "Microsoft products". I didn't limit myself to the operating system(s). Outlook and Office have contributed their share to the net losses to the corporate world. Anything else, that I'm neglecting? Microsoft has a lot of products, after all.

You're right, the most FREQUENT cause of data loss is the loose nut at the keyboard. And, every OS has it's loose nuts. But - when supposedly secure institutions which employ high dollar IT people to make things secure lose money, well, something isn't exactly right.

Re:Using Macs could have prevented this!

This is a reply to a -1 Redundant post about how using a Mac could have prevented this, but there's a critical known flaw for Mac, iPhone, Apple TV, etc. that hasn't been fixed for seven months now...

Not PDFs?

[gumbo]

I've heard that PDFs were used, and that's the one that sounds the most logical. Whenever I've seen attacks against my network from the Chinese, it's always been in the form of malicious spear-phished PDFs.

Whatever they actually used against Google, there's not one easy solution. You can't just say that they should have used Firefox, because then the attackers would have exploited some random Firefox add-on that some people were using. I'm sure Google employees use every browser out there throughout the company. Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all.

Re:Not PDFs?

[biryokumaru]

I know, why isn't the solution ever "Use an alternative PDF viewer?" Instead of "Update Adobe Acrobat to another version filled with gaping security flaws."

Re:Not PDFs?

[gumbo]

Acrobat vulnerabilities let you directly drop and install your malware on the system, you don't need to invoke a browser at all.

Um, why are people at google using IE?

[Trailer+Trash]

Seriously - makes no sense.

Re:Not IE, Adobe's PDF Reader 0 day Flaw

[pookemon]

Yeah - I read that as "We don't actually know how the attack was done - but we'll go with the popular line and blame Microsoft."

Re:No sign of vanishing

[Zero__Kelvin]

"I work at a big company that takes an enormous number of precautions to secure and protect the confidential information of millions of people. And we still use IE6 with no sign of changing any time soon."

So basically your company has an enormous number of highly secured steel doors, but only three walls?

Re:A major security flaw in IE?

[Will.Woodhull]

browsers... are really complicated software

Uh, no, not really. It is not that difficult to manage the standard Internet protocols, nor is that hard to construct a DOM and render from it. Add a plugin interface for all the other stuff and you've still got a basically simple browser, that you can make as complex as you need or want.

I think you might be looking at IE as a sample of one, and extrapolating incorrectly from there. IE was designed intentionally to be a core part of the OS, in order to get around a court decision that MS didn't like. By folding it into the OS rather than running it as an application on top of the OS, MS introduced a lot of complexity... and a lot of potential security flaws. It also did not help that until IEv7, MS had deliberately built incompatibilities into IE (the broken box model for one). Although MS may be on the right course since IEv7, it still has to support all the legacy crap, including the non-browser functions that were put on IE (such as help system support, and IIRC some interprocess communications).

Perhaps the basic problem with Microsoft is that Marketing has always told Engineering what to do. That is the short route to crapware, but it is also the inside track to the fat markets.

Re:A major security flaw in IE?

[spinkham]

Oh really? Tracing JIT JavaScript interpreters are trivial? Parsing PNG, GIF, JPEG, SVG, and even more image formats is trivial? The rules for the same origin policy including inheritance to iframes and the like, cross domain access, content encoding, proxies, plugins, memory management, not to mention multiple tabs with concurrent access to all these things.. All these are all trivial to you? Man, I'd use your browser in a second, because no one else can manage the complexity. The standards are nice as far as they go, but not complete and there's lots of legacy crap out there. HTML 5 does codify better parsing behavior and other thigns that have been missing for the standard, but still doesn't cover everything.

For a very quick overview that just grazes the surface on how hard this stuff is, see the Browser Security Handbook by Michal Zalewski.

Firefox lists 35 security flaws in Firefox 3.5 alone, and that's only been out since June.

Yes, ActiveX is/was/will be a bad idea, but at least it requires a click through now, and runs with DEP in IE 8. Plugins have the same problems on native code for Firefox and the other browsers too, now that Firefox has market share starting to see a rise in plugins and security flaws there instead.

Now, I'm not a Windows or IE fanboy, actually I hate the darn thing and run Firefox most of the time. But I do break web software for a living, and know how complex this stuff is and how nobody has it right. Both IE and Chrome have added some interesting security features lately to help contain flaws when they do occur, but nobody has yet written perfect software and there will continue to be security flaws in all browsers.

Re:Chinese govt inspection of MSFT code?

[TropicalCoder]

i think it's an indication that just having the code will not protect you. unless your in the business of developing software, having open source is utterly meaningless.

You are missing the other half of the equation there. The advantage of having the source isn't simply being able to see the code, it is everybody being able to see the code. This is the so called "1000 eyes" effect. Everybody being able to see the code gets bugs found and fixed sooner. Allowing the Chinese to see Windows code may very well have given them advantages for hacking into it, and may be the biggest mistake Microsoft made yet. Microsoft's eargerness to get into the Chinese market may have endangered us all (collectively speaking).

Re:A major security flaw in IE?

[spinkham]

The format is trivial, but oddly enough a secure parser is not.

One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.

See https://bugzilla.mozilla.org/show_bug.cgi?id=511689 for more details.

Java and windows have also had GIF parsing security bugs in the past:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
http://www.checkpoint.com/defense/advisories/public/2008/cpai-02-Sepa.html

Remember, this GIF parsing is but one of the things I mentioned, and I only mentioned a small faction of the potential bugs in any web browser.

This is why security is hard: Secure software is perfect software, and we don't write perfect software.

Re:Attacks targeted IE6

[decaffeinated]

The stupid but obvious question: why are people at these companies using IE6?

Some companies employ IT as an afterthought and, consequently, staffing suffers as a result. Typically, the help desk is outsourced and the local IT employees are simply not empowered to make bold decisions (like, say, forcing everyone to fix their IE6-dependent apps).

At the company where I work, I suspect we'll migrate off IE6 when some external entity forces our hand. For example, if/when Google withdraws support for IE6.

Re:A major security flaw in IE?

[mpe]

One of the reasons for this is that the black hats are well aware that any vulnerability they might exploit is likely to be short-lived, while if they just focus on MSIE, they are likely to get a much longer window of opportunity before the holes are patched.

Not only does MSIE being "folded into" the OS make it more difficult to debug, Microsoft have also developed a policy of updates according to the calendar. Most other software tends to follow a "when needed" approach to bug fixes.

Re:Chinese govt inspection of MSFT code?

[selven]

1. Linux, Firefox, Chrome and the other big open source projects have much more than "a handful" of people working on them. The number of eyes on each one is definitely more than 1000.

2. No it doesn't. Giving source code to everyone makes it easier to find vulnerabilities and, depending on who you are, either fix them or exploit them. Giving source code just to the Chinese government gives you the exploiters but not the fixers, ie. the worst of both worlds.

Confused by Microsoft P.R.?

[Futurepower(R)]

You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"

Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:

"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:

'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'

At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:

"... Internet Explorer 7 and Internet Explorer 8 on ... Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

At present, here is the full, confusing paragraph from that Microsoft web page:

"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.

Re:A major problem is the programming language.

[spinkham]

The shuttle software is near perfect, and it cost about $1000 per line to write. Average commercial code is crap and costs about $18 a line to write.

Also, with the rate of change in a web browser at the moment, I don't think you could write a perfect one even at 50x the cost, because projects don't scale that well.

All comes back to:
Fast, cheap, good. Choose two. Same as any other profession.