Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 0-Day Flaw Used In Chinese Attack

Posted by timothy on from the zero-is-where-you-start-counting dept.

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

2 of 318 comments (clear)

  1. Chinese govt inspection of MSFT code? by SillyValley · · Score: 5, Interesting

    I recall MSFT allowed the Chinese government to look at Windows source code a few years back. I wonder if the vulnerable IE6/7/8 code was part of the code provided to the Chinese government, but IE5.4 (not vulnerable to the latest attack, apparently) didn't include the problem code? This is something that can be checked. It could be an indication of whether the Chinese used the source code inspection as a road map to identify vulnerabilities for attacks like these.

  2. No real fix... by Aoet_325 · · Score: 5, Interesting

    Sadly, microsoft doesn't seem to have anything you can do to fix this.
    http://www.microsoft.com/technet/security/advisory/979352.mspx
    It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.

    What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.

    '0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.

    I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?