Slashdot Mirror
IE 0-Day Flaw Used In Chinese Attack
bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."
This is unheard of!
"The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
Or a firewall.
Clearly instead of (or at least as well as) pulling out of China, Google should stop supporting MSIE.
And declare cyber-war on Microsoft. :P
Using Firefox would have prevented it and still spared the needless expense of fashionable but mediocre and overpriced hardware for basic office minion tasks.
"Common sense will be the death of us all"
If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.
So IE is partially to blame, but you can't just say that this is MS's fault.
Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.
From an earlier /. article: http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars
From the article in this post: The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks .
I love the "probably"
It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
This is a reply to a -1 Redundant post about how using a Mac could have prevented this, but there's a critical known flaw for Mac, iPhone, Apple TV, etc. that hasn't been fixed for seven months now...
I recall MSFT allowed the Chinese government to look at Windows source code a few years back. I wonder if the vulnerable IE6/7/8 code was part of the code provided to the Chinese government, but IE5.4 (not vulnerable to the latest attack, apparently) didn't include the problem code? This is something that can be checked. It could be an indication of whether the Chinese used the source code inspection as a road map to identify vulnerabilities for attacks like these.
I've heard that PDFs were used, and that's the one that sounds the most logical. Whenever I've seen attacks against my network from the Chinese, it's always been in the form of malicious spear-phished PDFs.
Whatever they actually used against Google, there's not one easy solution. You can't just say that they should have used Firefox, because then the attackers would have exploited some random Firefox add-on that some people were using. I'm sure Google employees use every browser out there throughout the company. Keeping Acrobat Reader fully patched and keeping your users alert and well-trained would probably stop a lot of it, but not all.
I would be more concerned that senior tech leaders are actually clicking on links in malicious emails than the fact that they are running IE.
Seriously - makes no sense.
Do you have ESP?
"Personal firewalls" are utter bullshit that can be trivially bypassed by malware. I can, to give but one of many examples, inject a DLL into Internet Explorer and do all my network communication through that.
Sadly, microsoft doesn't seem to have anything you can do to fix this.
http://www.microsoft.com/technet/security/advisory/979352.mspx
It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.
What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.
'0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.
I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?
Or any other browser. Like, for example, Chrome.
IE shows no sign of vanishing from the corporate landscape
I work at a big company that takes an enormous number of precautions to secure and protect the confidential information of millions of people. And we still use IE6 with no sign of changing any time soon.
And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.
Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Make no mistake, China is agressively attacking foreign systems and common software. They are stockpiling these zero-day exploits as potential weapons. They use one until it's discovered and patched, then wait until they have another high priority and then unwrap the next one.
When you see Symantec or Microsoft reporting an "undisclosed source" on new vulnerabilities, it's usually our own government that reported it after investigating a compromise. It's damn scary just how far the Chinese have wormed into the US corporate and military systems. For now they are content to quietly steal data and technology, but we're in deep shit if China decides to turn malicious. They have the power to level the US financial systems, military supply lines, utilities, etc which would quickly ruin the US. The reason they have not? It's not that they're scared of the US retaliating in kind - they clearly have the upper hand on that front. They need us to continue leeching our dollars and tech.
Good God man! Don't even make jokes about the Bonzi Buddy! Do you even know the horror it inflicted upon poor PC repairmen across the country? Customers driven to the point of madness, screaming "Just make it stop! For the love of God PLEASE JUST MAKE IT STOP!!!"
Now you have old Bob hiding in the corner, crying and muttering "purple monkey" to himself over and over. Have you no sense of decency sir?
ACs don't waste your time replying, your posts are never seen by me.
Because according to Microsoft, system vulnerability is determined by the following formula:
Vulnerability = (time of patch - time of discovery) * number of exploits.
Clearly, since the vulnerability was never publicly discovered, no patch was needed, right? Clearly, since the exploit was never published, it was not a security risk, right?
For years, those outside the FOSS community behaved as if an unknown or undiscovered (or rather, unpublished) exploit was not a security vulnerability for the purposes of calculating risk. Rather, we were led to believe, by MS and others, that only unpatched systems were vulnerable. For years, I watched as countless IT folks repeated the mantra that a fully patched MS system was just as secure as any other.
It always seemed obvious to me, but apparently not to others, that risk should be calculated using not on the time of discovery and publication, but rather, upon the ship date of the software. (i.e., a vulnerability discovered 3 years after ship date, but patched a month after discovery means your system was vulnerable for 39 months, instead of only one as the MS method calculated vulnerability.
I think Google is big enough that people will now recognize that system security is not just a matter of patch early, patch often, but also a characteristic of the entity behind the code. Despite what Microsoft marketing would have you believe, the company can't produce a secure OS because they understand neither the problem, nor even the question.
The reason Linux is more secure than Windows is due not merely to the fact that it is open source, but also because those who work with UNIX understand the problem of system security. It doesn't mean Linux is perfect, only that it fares much better from a total-risk perspective. Microsoft never really grasped that security was a fundamental system design consideration, rather than a problem to be patched on the back-end of SW development. While they have *tried* to address the security issues (and have been somewhat successful, but only due to their brute-force efforts), they still have a product-design mentality which places ship dates above system quality, and usability above overall security. The fact that they still consider anti-virus software and constant patching a normal part of computing indicates they've failed to grasp the lessons learned of the past 3 decades.
For Microsoft, security is a checkbox feature, not a way of doing business. Maybe, now that Google was compromised by a type of exploit Microsoft, et al, considered of minimal, if not zero, risk, the world will change its opinion of the acceptability of software requiring constant patches and add-on kludges (i.e. anti-virus sw) just to function normally.
The society for a thought-free internet welcomes you.
This is a real mysterious thing for me since I enable DEP in all kinds of configurations, even including Virtual Machines. I use Windows mostly for critical/complex device driven things like phone firmware updates, backups which means dozens of drivers installed.
I also print via Bonjour under Windows, using a Airport USB shared Epson Laser printer which has a very complex driver.
There hasn't been a single issue I have seen regarding DEP being enabled for all programs. Even AntiVirus programs doesn't complain.
So, as we all know, some companies are "more equal" (look to Adobe/Carbon/OS X), which product likely prevents Microsoft from enabling it by default?
According to Wikipedia, Apple enabled DEP like technology back in OS X 10.4.0 days and nobody even noticed it. I am not seeing any mysterious crashes, performance issues even with software based DEP. So, why on earth DEP is defaulting to off?
Well let's see here, how about we look at Firefox 3.0's list of vulnerabilities from Mozilla:
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html
Lotta red on there, and red means "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
How about 3.5? Hasn't been out as long:
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html
Less over all, as you'd expect, but seems an even greater percentage are critical risk.
Seems to me Firefox has plenty of holes, with new ones getting discovered all the time. I mean please remember 3.5 has been out for about half a year. There's been 7 updates, 5 of which have addresses critical problems, often multiple ones.
So it seems that indeed people ARE finding holes in Firefox. Mozilla is doing as they should and fixing them, but please let's not pretend like there are plenty there that have needed fixing.
The bigger question is: they can see the pain IE6 is causing them through lock-in, yet they think their next salvation is to write apps using Silverlight?
What the also used in conjunction with it was the old "hey, click on this" security hole. NPR reported that they sent out "convincing" e-mails and got the morons to click on it. Who cares if it autoinstalled with a 0 day flaw by visiting the page. That wouldn't have happened if the stupid people hadn't fallen for the same old e-mail tricks.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions.
To my knowledge, DEP is a setting in Windows, not in IE. Does Microsoft not know it's own product or is this some different setting?
According to that link, the XPS viewer is opening the XPS document in the default web browser which is Firefox. However, Firefox does not know how to render the Microsoft-specific XPS format and IE does.
This is not a Firefox problem, it is a problem with the implementors of the XPS viewer.
Numbers are largely irrelevant. Any code will have bugs, and a percentage of those will be security issues. Yes, careful design and reviews can and will reduce the number of bugs, but will not eliminate them. Especially for a complex system that has a large codebase with multiple components interacting with each other, and with external libraries and components.
FLOSS does not refute this.
What is more interesting is:
1/ Is the fact that a larger number of vulnerabilities are found in Firefox and Chrome because their source code is there for people and researchers to examine, instead of being known only to the company producing the closed source product because that company views any of these issues to be a low priority?
2/ How quickly do the security issues get fixed?
3/ How quickly since the fix is created, does it get pushed out as a release?
4/ How quickly do customers get the fix?
5/ How many customers are left running an unpatched system?
6/ What are the tools (valgrind, sparse, dehydra, cocinelle, coverity) like for tracking down these types of issue?
You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"
... Windows XP,
Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and
Windows Server 2008 R2 are affected."
Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:
"Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."
Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:
'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'
At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:
"... Internet Explorer 7 and Internet Explorer 8 on
At present, here is the full, confusing paragraph from that Microsoft web page:
"Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."
For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.
It is the programmers fault. Dijkstra is smarter than you.
The programmers could have chosen to add bounds checking, etc. to their programming. However, they did not, because that shit is slow.
People have been trying to create a new language that made all their problems disappear for 5 decades. It's not going to happen. It's the height of naiveté to believe otherwise.
I'm repeating myself from another story here on slashdot - but, if it's only the "unwashed masses", they why does Corporate America still lose and/or spend billions to malware and/or hacking?
And, I'll note here, I said "Microsoft products". I didn't limit myself to the operating system(s). Outlook and Office have contributed their share to the net losses to the corporate world. Anything else, that I'm neglecting? Microsoft has a lot of products, after all.
You're right, the most FREQUENT cause of data loss is the loose nut at the keyboard. And, every OS has it's loose nuts. But - when supposedly secure institutions which employ high dollar IT people to make things secure lose money, well, something isn't exactly right.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
The shuttle software is near perfect, and it cost about $1000 per line to write. Average commercial code is crap and costs about $18 a line to write.
Also, with the rate of change in a web browser at the moment, I don't think you could write a perfect one even at 50x the cost, because projects don't scale that well.
All comes back to:
Fast, cheap, good. Choose two. Same as any other profession.
Blessed are the pessimists, for they have made backups.