Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 0-Day Flaw Used In Chinese Attack

Posted by timothy on from the zero-is-where-you-start-counting dept.

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

7 of 318 comments (clear)

  1. Re:Using Macs could have prevented this! by TrancePhreak · · Score: 0, Troll

    Firefox breaks on some of the things I've had to work with. Just having it installed can cause them to not work correctly also.

    --

    -]Phreak Out[-
  2. Re:More than just IE by Zero__Kelvin · · Score: 0, Troll

    "So IE is partially to blame, but you can't just say that this is MS's fault."

    "Exactly.

    The attacks were targeted against specific folks"

    Right! And those folks are commonly known affectionatley here on Slashdot as Windows users. Just who do you think is responsible for the fact that the average computer user has no clue about security, and thinks everything "just works" if it isn't Microsoft?

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  3. Security is like sex... by argent · · Score: 0, Troll

    Mitigating Factors:
            Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
            In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.
            An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
            By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
            By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

    Internal sandboxes don't protect you from having the compromised instance of IE being used to log passwords and steal other local information, nor does it prevent the compromised instance of IE from being a botnet node during the current session. Also, since IE still has to save files, load and execute programs, and so on, the strongest sandbox they can create is a leaky condom.

    And security is like sex, once you're penetrated you're f***ed.

  4. Re:Not PDFs? by TropicalCoder · · Score: 1, Troll

    I've heard that PDFs were used

    What a droll thing to say! Would you mind sharing with us where exactly you heard that? The FA just ruled Adobe out on this occasion. What is your motivation for pointing the finger at Adobe? The FA says IE is to blame. Somehow you know more than Google about this? Your conclusion, "Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all." completely misses the point. The problem was IE. I would like to know what idiot modded you insightful. The most obvious conclusion we could draw is to stay away from IE - at least until it is fixed.

  5. Re:A major security flaw in IE? by Will.Woodhull · · Score: 0, Troll

    Don't confuse the lack of an efficient and effective workflow with bad componentry. There are plenty of good packages to be had that can handle the various issues described in PP. If the developer doesn't know how to glue them together... well, it is a poor craftsman who blames his tools.

    Of course if for some reason the freely available packages cannot be used then you are stuck trying to reinvent the wheel. Which I suppose is the case for Microsoft since it cannot use FOSS, and is also committed to supporting its legacy of strategically bad design decisions. Like folding the browser into the operating system.

    Good browsers are not that difficult to work with. Firefox, Konqueror, Opera, and so on keep churning out steadily improving products in short order and have had very little trouble with security flaws. One of the reasons for this is that the black hats are well aware that any vulnerability they might exploit is likely to be short-lived, while if they just focus on MSIE, they are likely to get a much longer window of opportunity before the holes are patched.

    --
    Will
  6. Re:A major security flaw in IE? by SpaceLifeForm · · Score: 0, Troll

    Yes, browsers are complicated.

    But when you are using a browser while running with
    admin privileges, and a non-trustable ActiveX-ploit,
    you are begging to be taken advantage of.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
  7. Re:You know what this means by Anachragnome · · Score: 0, Troll

    "Let's see. Using a monopoly position in search to disrupt the web browser market which they also participate in. Methinks not."

    Not if everyone moves to Firefox (a COMPETITOR of Google) instead of Google's Chrome.

    That is exactly my point. The VAST majority of people switching would go to Firefox, NOT Chrome.

    Therein lies the pure GENIUS of this idea. Built-in anti-trust protection.

    Even if a suit was brought against them, and they lost, what would be the mandated fix? Support IE again? By the time that dragged through the courts, the loss of IE users to Firefox would already have happened. Once you leave IE (for anything!), you never go back.