IE 0-Day Flaw Used In Chinese Attack

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

It's not stupidity

[liquiddark]

Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.

Re:It's not stupidity

[liquiddark]

You might think that, but try supporting a massive suite of web applications that all have their own browser ticks, all of which were critical for something just shy of a minute, but which are maintained because retiring one would cause one guy (who always, somehow, happens to have the necessary clout) to die of unproductivity. Until you've lived in that situation for years on end it is wise to withhold judgement.

Re:It's not stupidity

[Carnildo]

Given the opportunity, I'd make everyone ignore a half dozen warnings.

Fixed that for you. Warning overload is one of the biggest problems facing computer security today. Since so many of the warnings the average user is bombarded with are meaningless, the genuine threats get lost in the noise and are ignored.

See also: The boy who cried "wolf".

Re:More than just IE

[calmofthestorm]

Even if it were 100% microsoft, zero-days happen. The only problem is that with MS, they're 31 days, not zero days.

Re:Not PDFs?

[biryokumaru]

I know, why isn't the solution ever "Use an alternative PDF viewer?" Instead of "Update Adobe Acrobat to another version filled with gaping security flaws."

Re:?Senior?

[Runaway1956]

And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.

Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.

Re:A major security flaw in IE?

[spinkham]

Oh really? Tracing JIT JavaScript interpreters are trivial? Parsing PNG, GIF, JPEG, SVG, and even more image formats is trivial? The rules for the same origin policy including inheritance to iframes and the like, cross domain access, content encoding, proxies, plugins, memory management, not to mention multiple tabs with concurrent access to all these things.. All these are all trivial to you? Man, I'd use your browser in a second, because no one else can manage the complexity. The standards are nice as far as they go, but not complete and there's lots of legacy crap out there. HTML 5 does codify better parsing behavior and other thigns that have been missing for the standard, but still doesn't cover everything.

For a very quick overview that just grazes the surface on how hard this stuff is, see the Browser Security Handbook by Michal Zalewski.

Firefox lists 35 security flaws in Firefox 3.5 alone, and that's only been out since June.

Yes, ActiveX is/was/will be a bad idea, but at least it requires a click through now, and runs with DEP in IE 8. Plugins have the same problems on native code for Firefox and the other browsers too, now that Firefox has market share starting to see a rise in plugins and security flaws there instead.

Now, I'm not a Windows or IE fanboy, actually I hate the darn thing and run Firefox most of the time. But I do break web software for a living, and know how complex this stuff is and how nobody has it right. Both IE and Chrome have added some interesting security features lately to help contain flaws when they do occur, but nobody has yet written perfect software and there will continue to be security flaws in all browsers.

Re:A major security flaw in IE?

[spinkham]

The format is trivial, but oddly enough a secure parser is not.

One of the exploitable Firefox bugs this year is in the GIF parsing code, in a situation where there are multiple images in a GIF file, and one has a small color map and is malformed in a specific way, followed by one with a larger color map.

See https://bugzilla.mozilla.org/show_bug.cgi?id=511689 for more details.

Java and windows have also had GIF parsing security bugs in the past:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1
http://www.checkpoint.com/defense/advisories/public/2008/cpai-02-Sepa.html

Remember, this GIF parsing is but one of the things I mentioned, and I only mentioned a small faction of the potential bugs in any web browser.

This is why security is hard: Secure software is perfect software, and we don't write perfect software.

Confused by Microsoft P.R.?

[Futurepower(R)]

You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"

Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:

"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:

'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'

At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:

"... Internet Explorer 7 and Internet Explorer 8 on ... Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

At present, here is the full, confusing paragraph from that Microsoft web page:

"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.