IE 0-Day Flaw Used In Chinese Attack

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

Chinese govt inspection of MSFT code?

[SillyValley]

I recall MSFT allowed the Chinese government to look at Windows source code a few years back. I wonder if the vulnerable IE6/7/8 code was part of the code provided to the Chinese government, but IE5.4 (not vulnerable to the latest attack, apparently) didn't include the problem code? This is something that can be checked. It could be an indication of whether the Chinese used the source code inspection as a road map to identify vulnerabilities for attacks like these.

Re:Chinese govt inspection of MSFT code?

[cbhacking]

It is worth noting that unless you specifically exclude IE8 from DEP (or disable DEP globally) then it is not vulnerable to this attack. You can also enable DEP (either via opt-in or by switching the default behavior system-wide to opt-out) for the previous IE versions.

Nonetheless, it's possible that the vulnerability was discovered in the manner you suggest. I'm not sure they saw the IE8 code, but if the same vulnerability is used on all versions it's probably in code that hasn't changed in a while.

Re:You know what this means

[Anachragnome]

That is pure genius.

There are Sooooo many people that don't know how to find anything on the web without using Google that if Google did stop supporting IE, many of those people would start using Firefox simply to use Google. And that would be a huge foot-in-the-groin for Microsoft, even if it doesn't DIRECTLY benefit Google.

Methinks it would avoid any anti-trust issues as well.

Considering the topic of this thread, it might actually help to prevent further Chinese highjinks.

No real fix...

[Aoet_325]

Sadly, microsoft doesn't seem to have anything you can do to fix this.
http://www.microsoft.com/technet/security/advisory/979352.mspx
It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.

What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.

'0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.

I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?

Re:A major security flaw in IE?

[spinkham]

Honestly, if you think you can just slap a few open piece of software togeather and have a secure functioning browser, you're smoking something. There's a reason there's only 4 browser engines, and that's because it's *hard*.

Firefox is NOT doing well at producing a secure browser. They patch faster the IE, but every Mozilla 3.5 release has between 2 and 6 critical(read likely exploitable) security flaws. They have had 35 flaws total in the last 7 months. http://www.mozilla.org/security/known-vulnerabilities/firefox35.html

Chrome is doing somewhat better, but they have only 2% market share, and not as many people hunting for bugs. Still a number of critical bugs fixed last year.

Just ran sloccount on firefox 3.5.7 source tree, and it says there are 2.7 million lines of code. For comparison, the Linux 2.6.32.3 has 8 million lines, so Firefox is only 1/3 the size of the full Linux kernel, including all drivers.
The average code has about .5-1 security bugs per 1k lines of code. That means we can expect 1350-2700 security bugs in Firefox.

Just so this isn't all about Firefox, Chromium (the open source branch of Chrome) largely reuses software as much as possible, and has 4.5 million lines of code. That's a huge project. They seem to have less custom parsers, but upstream bugs still do affect them.

The point of this isn't to say that Firefox or Chromium is worse then IE, it's just that modern web browsers are *complicated*. Security is hard even for small projects, and 2.7-4.5 million lines of code is not small. You can hate on IE all you want for web standards support (SVG and XHTML are two nice places to start), but they're actually not doing much worse then the other players for security at the moment. Yes, IE 6 is a piece of crap, and if you're still running that then you deserve what you get, but IE 8 is decent.