Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE 0-Day Flaw Used In Chinese Attack

Posted by timothy on from the zero-is-where-you-start-counting dept.

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

14 of 318 comments (clear)

  1. A major security flaw in IE? by XPeter · · Score: 5, Funny

    This is unheard of!

    --
    "The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
    1. Re:A major security flaw in IE? by Knara · · Score: 5, Funny

      Google can stay in China, or pull out,

      It's far too late for Google to pull out of China. It should have known that the pulling-out method is not a reliable form of birth control, and now it needs to take responsibility for it and China's love child, Baidu.

    2. Re:A major security flaw in IE? by CodeBuster · · Score: 5, Funny

      This is unheard of!

      Until it gets reported or exploited, then everyone knows about it.

  2. More than just IE by FalleStar · · Score: 5, Informative

    If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.

    "While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios." - George Kurtz

    So IE is partially to blame, but you can't just say that this is MS's fault.

    1. Re:More than just IE by dclozier · · Score: 5, Funny

      So IE is partially to blame, but you can't just say that this is MS's fault.

      You really are new here. Of course it was all Microsoft's fault. ;)

  3. It's not stupidity by liquiddark · · Score: 5, Insightful

    Corporate users largely work on intranets, and intranets are largely supported by guys who don't have the resources a professional development team has. So corporations buy large make-your-own-adventure web-ish packages like Sharepoint, and suddenly they're locked into IE for another cycle, and the whole ugly repeats itself. It's genuinely difficult to not get locked into somebody's product stack, and Microsoft's is, on the whole, no worse than anybody else's.

    1. Re:It's not stupidity by yuna49 · · Score: 5, Informative

      According to TFA, this vulnerability was in IE6.

      No, only IE 5.01 SP4 and IE 8 are not vulnerable without enabling "data execution prevention." The attackers apparently targeted IE 6, but nearly all other versions can be compromised.

      From TFA:

      "A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.

      In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn't say when an update would be released that patches the vulnerability."

  4. Not IE, Adobe's PDF Reader 0 day Flaw by Eyah....TIMMY · · Score: 5, Informative

    From an earlier /. article: http://arstechnica.com/security/news/2010/01/researchers-identify-command-servers-behind-google-attack.ars

    From the article in this post: The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks .
    I love the "probably"

    --

    It is not enough to have a good mind. The main thing is to use it well. - Rene Descartes (1637)
  5. Chinese govt inspection of MSFT code? by SillyValley · · Score: 5, Interesting

    I recall MSFT allowed the Chinese government to look at Windows source code a few years back. I wonder if the vulnerable IE6/7/8 code was part of the code provided to the Chinese government, but IE5.4 (not vulnerable to the latest attack, apparently) didn't include the problem code? This is something that can be checked. It could be an indication of whether the Chinese used the source code inspection as a road map to identify vulnerabilities for attacks like these.

  6. No real fix... by Aoet_325 · · Score: 5, Interesting

    Sadly, microsoft doesn't seem to have anything you can do to fix this.
    http://www.microsoft.com/technet/security/advisory/979352.mspx
    It's seems all they advise will only reduce your odds of getting hit (by helping protect against the methods they've seen used to exploit it) and reducing the damage done after IE runs the malicious code on your system.

    What they should be suggesting is that people not use IE on the internet (if possible) until this is fixed.

    '0 day' exploits are everywhere. What matters to me is that once discovered they are quickly patched or at the very least, a work around that actually prevents exploitation is provided.

    I'd be interested to know more about the social engineering aspect of this attack. Was this more of the usual attempts (something that really should have been caught by anyone who knows better than to open random attachments and click links from strangers) or was there something much more involved that allowed the attackers to gain sufficient trust that any one of us would have likely fallen for this. Did the attackers spend months building a strong level of trust with the people at these companies or did someone click an on E-card?

  7. Re:Not PDFs? by biryokumaru · · Score: 5, Insightful

    I know, why isn't the solution ever "Use an alternative PDF viewer?" Instead of "Update Adobe Acrobat to another version filled with gaping security flaws."

    --
    When you're afraid to download music illegally in your own home, then the terrorists have won!
  8. Re:?Senior? by Runaway1956 · · Score: 5, Insightful

    And, "some of us" find these posts amusing. The FACT is, Microsoft products are the primary vector for every malware known to man.

    Using your logic, we should go back to dumping sewerage in the streets. I mean, yeah, it's kinda nasty, but plenty of people lived to be old aged in medieval Europe, right? They were probably the people who didn't click on purple apes too. Just forget about that plague thing. Over-hyped nonsense.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  9. Oh, but it doesn't count, right? by gillbates · · Score: 5, Informative

    Because according to Microsoft, system vulnerability is determined by the following formula:

    Vulnerability = (time of patch - time of discovery) * number of exploits.

    Clearly, since the vulnerability was never publicly discovered, no patch was needed, right? Clearly, since the exploit was never published, it was not a security risk, right?

    For years, those outside the FOSS community behaved as if an unknown or undiscovered (or rather, unpublished) exploit was not a security vulnerability for the purposes of calculating risk. Rather, we were led to believe, by MS and others, that only unpatched systems were vulnerable. For years, I watched as countless IT folks repeated the mantra that a fully patched MS system was just as secure as any other.

    It always seemed obvious to me, but apparently not to others, that risk should be calculated using not on the time of discovery and publication, but rather, upon the ship date of the software. (i.e., a vulnerability discovered 3 years after ship date, but patched a month after discovery means your system was vulnerable for 39 months, instead of only one as the MS method calculated vulnerability.

    I think Google is big enough that people will now recognize that system security is not just a matter of patch early, patch often, but also a characteristic of the entity behind the code. Despite what Microsoft marketing would have you believe, the company can't produce a secure OS because they understand neither the problem, nor even the question.

    The reason Linux is more secure than Windows is due not merely to the fact that it is open source, but also because those who work with UNIX understand the problem of system security. It doesn't mean Linux is perfect, only that it fares much better from a total-risk perspective. Microsoft never really grasped that security was a fundamental system design consideration, rather than a problem to be patched on the back-end of SW development. While they have *tried* to address the security issues (and have been somewhat successful, but only due to their brute-force efforts), they still have a product-design mentality which places ship dates above system quality, and usability above overall security. The fact that they still consider anti-virus software and constant patching a normal part of computing indicates they've failed to grasp the lessons learned of the past 3 decades.

    For Microsoft, security is a checkbox feature, not a way of doing business. Maybe, now that Google was compromised by a type of exploit Microsoft, et al, considered of minimal, if not zero, risk, the world will change its opinion of the acceptability of software requiring constant patches and add-on kludges (i.e. anti-virus sw) just to function normally.

    --
    The society for a thought-free internet welcomes you.
  10. Confused by Microsoft P.R.? by Futurepower(R) · · Score: 5, Insightful

    You said, "Using IE6 is like using Firefox 1. Are you feeling lucky?"

    Note that you were confused by Microsoft public relations that is apparently trying to avoid responsibility. Here is a quote from the article:

    "Our investigation has shown that Internet explorer is vulnerable on all of Microsoft's most recent operating system releases, including Windows 7."

    Windows 7 uses Internet Explorer 8, the latest version. According to Microsoft, all versions of IE are vulnerable. But Microsoft makes a statement that is apparently meant to confuse:

    'Shortly after the report, Microsoft confirmed the new IE vulnerability was "one of the vectors used in targeted and sophisticated attacks against Google and possibly other corporate networks." A company statement said the attacks were carried out against version 6 of the widely used browser and suggested users protect themselves by enabling security features that have been added to successor versions'

    At present, 2010-01-15, 03:59 PDT, the Microsoft Security Advisory (979352) tells the truth, but also in a way apparently designed to confuse. This is an exact quote, after the confusing introduction, eliminating other confusing words:

    "... Internet Explorer 7 and Internet Explorer 8 on ... Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

    At present, here is the full, confusing paragraph from that Microsoft web page:

    "Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."

    For the apparent reason Microsoft allows IE to be insecure, see the New York Times article Corrupted PC's Find New Home in the Dumpster. As the article explains, operating system corruption and vulnerability to malware is very profitable for Microsoft and its main customers, who are computer manufacturers.