IE 0-Day Flaw Used In Chinese Attack

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

It's not stupidity

[liquiddark]

Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.

Re:Not PDFs?

[biryokumaru]

I know, why isn't the solution ever "Use an alternative PDF viewer?" Instead of "Update Adobe Acrobat to another version filled with gaping security flaws."

Re:?Senior?

[Runaway1956]

And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.

Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.

Confused by Microsoft P.R.?

[Futurepower(R)]

You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"

Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:

"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:

'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'

At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:

"... Internet Explorer 7 and Internet Explorer 8 on ... Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

At present, here is the full, confusing paragraph from that Microsoft web page:

"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.