Slashdot Mirror
IE 0-Day Flaw Used In Chinese Attack
bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."
I recall MSFT allowed the Chinese government to look at Windows source code a few years back. I wonder if the vulnerable IE6/7/8 code was part of the code provided to the Chinese government, but IE5.4 (not vulnerable to the latest attack, apparently) didn't include the problem code? This is something that can be checked. It could be an indication of whether the Chinese used the source code inspection as a road map to identify vulnerabilities for attacks like these.
That is pure genius.
There are Sooooo many people that don't know how to find anything on the web without using Google that if Google did stop supporting IE, many of those people would start using Firefox simply to use Google. And that would be a huge foot-in-the-groin for Microsoft, even if it doesn't DIRECTLY benefit Google.
Methinks it would avoid any anti-trust issues as well.
Considering the topic of this thread, it might actually help to prevent further Chinese highjinks.
Sadly, microsoft doesn't seem to have anything you can do to fix this.
http://www.microsoft.com/technet/security/advisory/979352.mspx
It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.
What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.
'0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.
I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?
"Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all."
I can't help but wonder if Firefox AND Foxit would have prevented this.
Honestly, there are major flaws in all browsers all the time, they're really complicated software and are the most exposed part of the computer at the moment, so lots of research is put into finding flaws.
The two continuing problems are:
1) The use of old versions. IE 6 sucks. No way around it. IE 7 sucks less, and IE 8 has a mix of good and bad things.
2) The time between updates. Some known IE bugs go patched for a long time, with about a 1 month minimum exploitation window, and often quite a bit longer. FF and especially Chrome are MUCH better about pushing out patches and getting their users to upgrade.
Blessed are the pessimists, for they have made backups.
Make no mistake, China is agressively attacking foreign systems and common software. They are stockpiling these zero-day exploits as potential weapons. They use one until it's discovered and patched, then wait until they have another high priority and then unwrap the next one.
When you see Symantec or Microsoft reporting an "undisclosed source" on new vulnerabilities, it's usually our own government that reported it after investigating a compromise. It's damn scary just how far the Chinese have wormed into the US corporate and military systems. For now they are content to quietly steal data and technology, but we're in deep shit if China decides to turn malicious. They have the power to level the US financial systems, military supply lines, utilities, etc which would quickly ruin the US. The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
This is a real mysterious thing for me since I enable DEP in all kinds of configurations, even including Virtual Machines. I use Windows mostly for critical/complex device driven things like phone firmware updates, backups which means dozens of drivers installed.
I also print via Bonjour under Windows, using a Airport USB shared Epson Laser printer which has a very complex driver.
There hasn't been a single issue I have seen regarding DEP being enabled for all programs. Even AntiVirus programs doesn't complain.
So, as we all know, some companies are "more equal" (look to Adobe/Carbon/OS X), which product likely prevents Microsoft from enabling it by default?
According to Wikipedia, Apple enabled DEP like technology back in OS X 10.4.0 days and nobody even noticed it. I am not seeing any mysterious crashes, performance issues even with software based DEP. So, why on earth DEP is defaulting to off?
Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.
Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.
Just ran sloccount on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers. .5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.
The average code has about
Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.
The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.
Blessed are the pessimists, for they have made backups.
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions.
To my knowledge, DEP is a setting in Windows, not in IE. Does Microsoft not know it's own product or is this some different setting?