Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 0-Day Flaw Used In Chinese Attack

Posted by timothy on from the zero-is-where-you-start-counting dept.

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

18 of 318 comments (clear)

  1. Re:Using Macs could have prevented this! by Anonymous Coward · · Score: 3, Insightful

    Or a firewall.

  2. You know what this means by Arancaytar · · Score: 3, Insightful

    Clearly instead of (or at least as well as) pulling out of China, Google should stop supporting MSIE.

    And declare cyber-war on Microsoft. :P

    1. Re:You know what this means by cstdenis · · Score: 3, Insightful

      Why is Google even using IE? They have their own web browser. They should be eating their own dog food.

      --
      1984 was not supposed to be an instruction manual.
    2. Re:You know what this means by Haymaker · · Score: 3, Insightful

      Why is Google even using IE? They have their own web browser. They should be eating their own dog food.

      Google hardly even uses Windows AFAIK. The IE vulnerability victims are likely the people who had their accounts attacked.

  3. It's not stupidity by liquiddark · · Score: 5, Insightful

    Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.

    1. Re:It's not stupidity by liquiddark · · Score: 4, Insightful

      You might think that, but try supporting a massive suite of web applications that all have their own browser ticks, all of which were critical for something just shy of a minute, but which are maintained because retiring one would cause one guy (who always, somehow, happens to have the necessary clout) to die of unproductivity. Until you've lived in that situation for years on end it is wise to withhold judgement.

    2. Re:It's not stupidity by Carnildo · · Score: 4, Insightful

      Given the opportunity, I'd make everyone ignore a half dozen warnings.

      Fixed that for you. Warning overload is one of the biggest problems facing computer security today. Since so many of the warnings the average user is bombarded with are meaningless, the genuine threats get lost in the noise and are ignored.

      See also: The boy who cried "wolf".

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    3. Re:It's not stupidity by mcrbids · · Score: 3, Insightful

      The hard part is to understand just how long it takes to get a bug fixed!

      I'm a developer. I write code, lots and lots of code. I'm responsible for a FARKING HUGE pile of code that I maintain for a vertical app with over 100 good-sized customers at a small software company. Our developers crank out code - reams and reams of code! we crank through the bugfixes like there's no tomorrow, and the speed of development is somewhere between crazy and insane.

      But, when you leave this frenetic pace of development, when you leave the zone of developers, and enter the realm of corporate America, you find a completely different world inhabited not by crackerjack coders, but by "IT". People who don't write code, who don't craft solutions, and for whom a bug is a big deal.

      These people don't create solutions, they implement them. They spend lots of time doing research. Addressing a single bug can take days, maybe weeks of time, and certainly not hours! And given this very high cost of bug management, being conservative is suddenly very valuable!

      So, when we decide to switch, for example, from Firefox to Chrome, the only consideration is the bugs we'll find, and any we find we can take care in anywhere from hours to minutes, because we wrote the code in the first place, and it's not a big deal to fix.

      But if you didn't write the code, if it's all gibberish to you anyway, and it's your job to get stuff to work anyway, you become very, very conservative very quickly. A solution may work with IE 6, and may only need a few CSS declarations and maybe a tweak to the .js file to work properly with Firefox/Chrome/IE8, but if you don't know how to make those slight changes, you don't change a goddamn thing.

      Slashotters and other coders would do well to understand these people, as they are many and often in control of the purse strings of potential clients! They are the logical oppositve of the developer: risk averse, terrified of change, and work to avoid anything "interesting" anywhere possible.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  4. Re:More than just IE by calmofthestorm · · Score: 4, Insightful

    Even if it were 100% microsoft, zero-days happen. The only problem is that with MS, they're 31 days, not zero days.

    --
    93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
  5. Re:Using Macs could have prevented this! by Anonymous Coward · · Score: 3, Insightful

    This is a reply to a -1 Redundant post about how using a Mac could have prevented this, but there's a critical known flaw for Mac, iPhone, Apple TV, etc. that hasn't been fixed for seven months now...

  6. Not PDFs? by gumbo · · Score: 3, Insightful

    I've heard that PDFs were used, and that's the one that sounds the most logical. Whenever I've seen attacks against my network from the Chinese, it's always been in the form of malicious spear-phished PDFs.

    Whatever they actually used against Google, there's not one easy solution. You can't just say that they should have used Firefox, because then the attackers would have exploited some random Firefox add-on that some people were using. I'm sure Google employees use every browser out there throughout the company. Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all.

    1. Re:Not PDFs? by biryokumaru · · Score: 5, Insightful

      I know, why isn't the solution ever "Use an alternative PDF viewer?" Instead of "Update Adobe Acrobat to another version filled with gaping security flaws."

      --
      When you're afraid to download music illegally in your own home, then the terrorists have won!
  7. Re:?Senior? by ravenspear · · Score: 3, Insightful

    I would be more concerned that senior tech leaders are actually clicking on links in malicious emails than the fact that they are running IE.

  8. Re:?Senior? by Runaway1956 · · Score: 5, Insightful

    And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.

    Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  9. Re:No sign of vanishing by Zero__Kelvin · · Score: 3, Insightful

    "I work at a big company that takes an enormous number of precautions to secure and protect the confidential information of millions of people. And we still use IE6 with no sign of changing any time soon."

    So basically your company has an enormous number of highly secured steel doors, but only three walls?

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  10. Re:A major security flaw in IE? by spinkham · · Score: 4, Insightful

    Oh really? Tracing JIT JavaScript interpreters are trivial? Parsing PNG, GIF, JPEG, SVG, and even more image formats is trivial? The rules for the same origin policy including inheritance to iframes and the like, cross domain access, content encoding, proxies, plugins, memory management, not to mention multiple tabs with concurrent access to all these things.. All these are all trivial to you? Man, I'd use your browser in a second, because no one else can manage the complexity. The standards are nice as far as they go, but not complete and there's lots of legacy crap out there. HTML 5 does codify better parsing behavior and other thigns that have been missing for the standard, but still doesn't cover everything.

    For a very quick overview that just grazes the surface on how hard this stuff is, see the Browser Security Handbook by Michal Zalewski.

    Firefox lists 35 security flaws in Firefox 3.5 alone, and that's only been out since June.

    Yes, ActiveX is/was/will be a bad idea, but at least it requires a click through now, and runs with DEP in IE 8. Plugins have the same problems on native code for Firefox and the other browsers too, now that Firefox has market share starting to see a rise in plugins and security flaws there instead.

    Now, I'm not a Windows or IE fanboy, actually I hate the darn thing and run Firefox most of the time. But I do break web software for a living, and know how complex this stuff is and how nobody has it right. Both IE and Chrome have added some interesting security features lately to help contain flaws when they do occur, but nobody has yet written perfect software and there will continue to be security flaws in all browsers.

    --
    Blessed are the pessimists, for they have made backups.
  11. Re:A major security flaw in IE? by spinkham · · Score: 4, Insightful

    The format is trivial, but oddly enough a secure parser is not.

    One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.

    See https://bugzilla.mozilla.org/show_bug.cgi?id=511689 for more details.

    Java and windows have also had GIF parsing security bugs in the past:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
    http://www.checkpoint.com/defense/advisories/public/2008/cpai-02-Sepa.html

    Remember, this GIF parsing is but one of the things I mentioned, and I only mentioned a small faction of the potential bugs in any web browser.

    This is why security is hard: Secure software is perfect software, and we don't write perfect software.

    --
    Blessed are the pessimists, for they have made backups.
  12. Confused by Microsoft P.R.? by Futurepower(R) · · Score: 5, Insightful

    You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"

    Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:

    "Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

    Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:

    'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'

    At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:

    "... Internet Explorer 7 and Internet Explorer 8 on ... Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

    At present, here is the full, confusing paragraph from that Microsoft web page:

    "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

    For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.