Code Used To Attack Google Now Public

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."

This is shocking!

[eihab]

The attack is very reliable on Internet Explorer 6 running on Windows XP ...
That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems

Google has employees running XP/IE6???

The only way I run IE6 nowadays is in a VM and basically just to test websites we're developing on local/trusted hosts. I wouldn't dare accessing anything with IE6 (especially with reputable sites being hacked and all).

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

This is a shocker!

Re:This is shocking!

> Google has employees running XP/IE6???
Where is this stated? Read carefully: "and it could possibly be modified to work on more recent versions of the browser, Marcus said."

Re:This is shocking!

[bfree]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Re:This is shocking!

I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.

Digg and Slashdot won't display correctly in that version of firefox (so much for web standards). There are people out there who can't change for good reasons.

Re:This is shocking!

[eihab]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser

I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

My company has high-profile clients who run IE6. I've lectured on-and-on about what a terrible browser IE6 is. But at the end of the day, if SVP of Marketing is running IE6 because of their IT department, and they look at the site and it's broken, then guess who they get to blame?

I happen to do freelance work on the side (for extra s*its-and-giggles), and when I do that I run the show and basically say "If you want IE6 support, you have to pay $X,000 extra." and honestly, if the project is not that challenging I will just refuse to take it regardless of how many zeros are in-front of the decimals on the check.

I _hate_ IE6 with a passion (and 7 and somewhat 8 for that matter), but I have to do what I have to do to pay mortgage, keep the lights on and feed the kids.

It's not _that_ self demising. The main reason I get up and go to work everyday is to provide for my family. I may enjoy it and I may not sometimes, but that's not the question, it's what gets the job done for my (our) clients that will pay for the life-style I've chosen to take.

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Re:This is shocking!

[eihab]

Anyone else smell the BS from this post?

What BS Mr. AC? Name something.

About me refusing freelance work that doesn't live to my standards? Guess what, it's "extra", and if my main job takes care of everything and then some, then I get to be VERY freaking picky about what I do with time I can spend doing what _I_ want.

Or did the $x,000 freak you out? Do you even work? What's your hourly rate?

Bah, I know better than to respond to ACs, but this was just infuriating.

Re:This is shocking!

[Anci3nt+of+Days]

yeah - who eats pizza???

Re:This is shocking!

[jo42]

You're marketing it all wrong. You need to sell the downloading and installing of the Firefox plugin for IE6...

Re:This is shocking!

[Gr8Apes]

I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux....There are people out there who can't change for good reasons.

No, there are people out there who drank the coolaid and built systems on alpha software and refuse to change. That's different than cannot change like a leopard can't change its spots, but it can certainly decide to eat the rabbit over the snake.

Re:This is shocking!

[Gr8Apes]

at this point, I purposely break IE6 by including certain 3rd party libraries that are standards complaint yet don't work in IE6. I have that little notice that this site may not work properly in IE 6, along with a link to Firefox and Safari.

Re:This is shocking!

[antdude]

I still use and have to support it. MS still also supports it. :(

Re:This is shocking!

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

You're doing it wrong.

Re:This is shocking!

[RobertM1968]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

No, because most average computer users will simply not visit the site again.

Re:This is shocking!

[eihab]

The way that _you_ type is _extremely_ _annoying_. You don't have to tack on underscores to words or do anything else to them for that matter for people to understand what it is you're saying. Trying to add emphasis to words in your posts like this is completely unnecessary.

_I_ am _very_ sorry if _this_ "annoyed" ||you||. I'll "try" to be more _careful_ next 'time'.

Re:This is shocking!

[Kingrames]

Well, it's not entirely unbelievable to think that there might be a computer somewhere in Google HQ that hasn't used IE in 4-5 years, and if someone went to a website that said it required IE, and you just clicked the blue button and typed in the address, yes, something like this could happen.

And it's a believable explanation that doesn't assume malice or stupidity on their part.

Re:This is shocking!

[tixxit]

Yet you test your sites on IE6. Is the time not long past where you should just be displaying the same sort of message to IE6 users you would to $random_unsupported browser, or better yet the same one you give to $random_vulnerable browser. I'm afraid you are as much to blame as the governments, non-technical corporates and pro-MS shops for making yourself have to keep the VM around to test the insane browser.

Perhaps some sites can get away with dropping IE6 support, but, at least for my employer's main public site, IE6 accounts for 20% of our users. Should they use a better browser? Yeah. Can we get away with kicking sand in the face of 1 in 5 of our users? Hell no.

Re:This is shocking!

[TheLink]

There's probably plenty of stuff that still requires IE6 to work.

For example: HP's iLO stuff appears to be very browser type, version and configuration sensitive. We've had some problems using HP iLO with IE8.

Yes it works with IE7, but in our company the class of machines that upgraded to IE7 would be on IE8 by now (or would soon be).

The rest would still be on IE6.

Re:This is shocking!

[eihab]

I was shooting for funny but I guess I annoyed someone else too :P

Re:This is shocking!

Even more shocking to me, after last December's SAP system *upgrade*, our company's customer relation software only works on IE6, IT officially announced that IE7 and later are not supported. We are asked to downgrade out browser to IE6.

We are a big tech company in the US.

Re:This is shocking!

This is exactly the reaason having kids, family, lights and such other things is EVIL.
Having them forces people to do evil things just to mantain them.

Re:This is shocking!

[QuantumG]

Gah. Why does this stupidity keep getting repeated?

IE6 comes installed with Windows XP.. you can't uninstall it. For people who *never* use IE, that's the version we're going to have installed.

The problem here is that Acrobat Reader was embedding IE to display some user controllable elements. So the attack is:

1. Send the target a PDF.
2. They open it in Acrobat Reader.
3. Acrobat Reader loads up IE to display some elements of the PDF.
4. The embedded code triggers and exploit in IE.
5. Arbitrary code execution follows.

And yes, it is a totally lame attack but it works because:

* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.

End of story.

Re:This is shocking!

[erlando]

Not at all.

This is exactly the way I do it too. Except I explicitly tell all clients that "IE6 support will cost you XX hours extra". At $120+ an hour they think twice about IE6

Re:This is shocking!

[cyber-vandal]

Because IE6 is still a very widely used browser and therefore every large internet company needs it around to test stuff.

Re:This is shocking!

[V+for+Vendetta]

All the legacy IE6 users I've met tend to be government, non-technical corporates or extremely pro-Microsoft shops that bet the farm on IE6 and wrote everything in IE6/ActiveX fashion.

Here's another option for being forced to use IE6: still running W2K here. Unfortunately, MS decided "IE7 needs >= XP". So, until we replace our hardware, we can't upgrade to IE > 6 (which we would like to do, believe me, IE6 sucks hard). And no, we can't replace IE with another browser. 3rd party software requires IE in order to work.

You might ask "Why you're still on W2K?". Well, because at that time, XP offered nothing over W2K for us which would justify the amount of money and time needed to upgrade.

Re:This is shocking!

[dreamchaser]

I know you're trolling, but there is NOTHING 'evil' about supporting a commonly used browser while also trying to eductate one's customers about alternatives/upgrades. Get a life :)

Re:This is shocking!

[Antiocheian]

Asterisks as well. While I know no manual of style, I think asterisks are used for tone while underscore for emphasis:

*I* am _very_ etc

Re:This is shocking!

[Geoffrey.landis]

Well, asterisks are used for italics while underscore characters are used for underscored font. So if you use underscore for emphasis, you'd be right. I think of italics as emphasis, myself,

/. supports html, though, so you could just use italics.

Re:This is shocking!

[lieden]

Remember, Google also employs lawyers, accountants and any number of non-dev staff.
I would bet that most IE testing is done in the VM world, but not every Google employee works in tech - a lot of them probably just want Quickbooks and Exchange/Outlook to work. Maybe that was a hole in the armour and lead to an attack vector.

It's another issue that these people would have access to raw Google data. That's no good. But I doubt there's any significant number of the people one typically thinks of as a Google employee that uses IE.

Don't they mostly run linux on desktop(using VM for testing)? (not positive about that one)

Re:This is shocking!

[ckclark]

If it was up to me to do things I enjoy, I would probably play WOW, eat pizza and masturbate all day long. Happy now?

Everyone seems to be talking as if the problem stops at having IE6 installed. To be exploited, the more stupidity is required. Minimally, the user would have to launch IE6 and visit a malicious web site and probably do a couple of other things as well...

So maybe someone was doing exactly what you say... ;-)

Re:This is shocking!

[ckclark]

Okay, I have to admit that I should have read the code for this exploit first, because this one has a visit-only requirement. There's a nice video showing metasploit to do this:

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Re:This is shocking!

[Sir_Lewk]

So because you found a single company stupid enough to use such terribly obsolete pieces of software, I have to change how I test my product?

This is what is wrong with web development, in a nutshell.

Re:This is shocking!

[daveime]

and it could possibly be modified to work on more recent versions of the International Space Station / McDonalds Drivethru Menu Backlight / Diebold Voting Machine etc etc ...

Blanket statements like this are at best ignorant, and at worst downright FUD.

An exploit that works on a 9 year old version of the browser (6 years if you consider SV1 was the last major upgrade to IE 6), and two revisions back of the operating system (XP) is hardly newsworthy anymore.

What *is* newsworthy however, is why exactly Google of all people are still using it ? All their "support" for Firefox, and even developing their own browser / OS, and they get pwned by a Javascript running on a production server that presumably had access to their storage system ?

They should know better, really.

Re:This is shocking!

[daveime]

And I should know better and close my italics properly. D'oh.

Re:This is shocking!

[Will.Woodhull]

Twenty percent of PP's users are still with MSIEv6. Looking at this in the context of the 80/20 rule of business brings these questions to mind:

1. In general, 80% of customer-related costs are generated by 20% of the customers. How many of the these MSIEv6 users fall within this 20% group?
2. In general, 20% of customers account for 80% of sales revenue. How many of this top quintile of customers are using MSIEv6?
3. As a rule, it is worthwhile to identify the much smaller number of customers who are in the intersection of these two groups and treat them as special cases, red carpet treatment, whether they use MSIEv6 or not. Could this be done in PP's situation?

For many businesses this analysis is going to show that the bottom line could be improved by dropping support for MSIEv6. Pruning customers whose support costs more than the revenues they provide is good business sense (selling at a net loss never makes good sense). There are of course niche markets where this isn't true, such as direct sales of adult incontinence supplies. But even those niches are shrinking.

Re:This is shocking!

[eihab]

For people who *never* use IE, that's the version we're going to have installed.

Wrong. IE7 and IE8 have both been pushed via windows update servers and if you have automatic updates on, you will be running IE8 right about now.

If you work in a company with more than 3 employees (or have competent IT) you will probably be using WSUS or any other patch management software. Your IT department would have been offered to upgrade all the machines to IE8 around mid last year, and IE7 (as a critical update IIRC) even longer before that.

Basically, the only way for you to be running IE6 is if you couldn't be bothered upgrading your machines or if you're doing it on purpose because of a legacy app.

What was shocking to me is that Google would do either one of those.

IE can't be uninstalled, and no-one updates a browser they don't use.

If you're stupid enough to refuse upgrading a major component of your system just because you don't think you're using it, well, then you deserve what you get.

Re:This is shocking!

[Lonewolf666]

And don't underestimate how many people will surf on dubious websites, even at work. An anecdote:
I know a guy who works in IT at a medium-sized German corp. Surfing porn sites at work is forbidden. Yet that guy told me once that he built his porn collection by searching users' hard disks for porn and copying it for himself ;-)

Re:This is shocking!

[ralphdaugherty]

And yes, it is a totally lame attack but it works because:

* Way too many people use Acrobat Reader to read PDFs (monoculture)
* IE can't be uninstalled, and no-one updates a browser they don't use.

End of story.

      wow, I had no idea Adobe was doing that. I will have to get that Firefox PDF reader plugin ad uninstall Acrobat Reader if they are using IE. (I have the included IE version with XP and never upgraded it, like most non-IE users.) Acrobat has its own security problems and I reluctantly upgrade when I think there's a version without a major exploit left in it, but embedding IE is unacceptable.

      They're gone.

  rd
   

Re:This is shocking!

[Hurricane78]

I'm afraid if I do that I'll be jobless and unable to pay my mortgage.

You GOT to be kidding! Do you really believe that?? Are you really that worthless to your boss? Or do you only sell yourself as being worth nothing? Do you say yes and amen to everything? Never learned to say no to your boss?
Well, after just watching the last episodes of “The Middle”, I am truly horrified at what you teach each other to do:
See yourself as less worth than a dog, and cave to every abuse anyone throws at you.

I think you are better than that! After all he hired you!
You know how some bosses simple “expect” you to work overtime for no money? That’s greedy freeloading. Not in the contract. Period.
I could just as well go, and say: “Weell, I’m sorry boss, but this month you got to pay me 40% more. Cause of $someLameExcuse.” And then he could fear that I quit.
You can that just as much, if you consider you of value.

Man... Why do people always get this the completely wrong way?
The best way to get what you want and be in control, is to define reality! Know what you consider to be right and wrong, draw the lines, and stand by them.
No, contrary to popular opinion, that’s not gonna get you in trouble! Or is your boss in trouble for doing it? No. How do you think he became a leader?
Simple: Because people get drawn into your reality, if you act like that. They start to respect you, because “Hmm, he does that so naturally... Seems that’s just how he’s used to be treated.” Which funnily is the exact same thing they think when you act all angsty like he’s going to fire you tomorrow.

But just like when you are in the “friend” zone with a woman (assuming you’re a man ;), once someone is used to how you act, you can’t just change it from one day to the other.
Find a new job, and get it right from the very beginning! :)

I, for one, would love to have an employee who can stand up to me and tell me to my face that I’m about to run right into a knife. Who has his own opinion. Who is smarter than me in what I hired him for, and expects to be treated as smarter (in that area).
Because is there anyone better to put in my place when I die. Or to open a new branch office?

Re:This is shocking!

[ralphdaugherty]

If you're stupid enough to refuse upgrading a major component of your system just because you don't think you're using it, well, then you deserve what you get.

        You weren't addressing to me directly, but *I* wasn't using it, I just found out from the poster's informative post that Adobe Acrobat Reader was using it.

        Rather than upgrade something I can't get rid of, I will be uninstalling Acrobat Reader and anything else that uses it.

        So le's rephrase that to anything stupid enough to not use my default browser without my permission deserves to be uninstalled.

  rd

Re:This is shocking!

[eihab]

Ok, so gender-wise it's reversed. I'm a "he" and my boss is a "she" :)

I stood up to bosses before, many times actually. I worked on (lead and developed) a huge custom web-based CMS in a job I had before. My boss was a past programmer and kept nagging me about putting all the sites/clients in one centralized database.

I whole-heatedly disagreed for performance and junior-programmers-writing code-unchecked reasons (which I tried to address separately). And I simply didn't do it. I told him flat out, if you want it done, you'll have to code it yourself because I'm not doing that, and you'll be shooting yourself in the foot.

Why did I take a stand there and not with IE6? Well, that was all back-end, it wasn't something a client would even care about and it was a stupid request given the company's circumstances. But when it comes to IE6 compatibility, if we "screw up" as far as the client is concerned, we can lose a 6-7 figures contract.

I've told my managers about how horrible IE6 is, and they know to add certain padding in development time if IE6 is involved. But as far as companies go, big clients say jump, the company says how high.

I hope when you hire people that you look for someone who's technical but also able to understand the business side, otherwise you'll have projects running way past deadlines and lose money because of a religious programming issue.

I do what I can to make sure my work is kosher. I follow W3C's standards (when I'm doing front-end) in everything I do.

But guess what, if the client wants a site in DotNetNuke built in tables because the WYSIWYG editor can't understand DIVs, and they're paying the bills, well, then they get what they asked for, no questions asked.

Customer is king (regardless of IQ), never forget that.

Re:This is shocking!

[eihab]

You weren't addressing to me directly, but *I* wasn't using it, I just found out from the poster's informative post that Adobe Acrobat Reader was using it.

                Rather than upgrade something I can't get rid of, I will be uninstalling Acrobat Reader and anything else that uses it.

And how will you know if another program on your system isn't using it?

It's been established that IE is part of Windows. Whether you use it or not, it's a major component in your chosen OS and it needs to be upgraded with everything else.

So le's rephrase that to anything stupid enough to not use my default browser without my permission deserves to be uninstalled.

I'm still sticking with "people should upgrade all of their OS components". The "stupid" in my last post was a result of being slightly pissed-off at the ignorance of the parent's post.

If Windows' update requests that you upgrade something and mark it as critical, then for the love of $DEITY, please do it.

If you think IE should not be a major component of Windows or you don't like how MS is running their OS upgrade cycle, then it's time to jump boat. Linux/OS X are perfectly viable alternatives :)

Re:This is shocking!

[dave87656]

What *is* newsworthy however, is why exactly Google of all people are still using it ?

To test that their sites work with all browsers, perhaps?

Re:This is shocking!

[eionmac]

http://news.bbc.co.uk/1/hi/technology/8463516.stm

German government warns all against using MS Explorer, any version.

Re:This is shocking!

[cyber-vandal]

Because turning customers away is in Google's interest is it?

Re:This is shocking!

[eihab]

Then your company needs to advise that you will have to charge more money to support a deprecated and standards non-compliant application.

We do. There's usually a line item called "Browser testing" which specifies which browsers/platforms the site will be thoroughly tested on (a.k.a. almost-pixel-perfect guarantee). Whenever IE6 is on that list, the numbers get inflated.

We never churn anything out but XHTML 1.0 Strict pages with all the best practices for performance and accessibility (e.g. css/js inclusion order, css sprites, graceful degradation, etc.).

IE6 support usually consists of major CSS hacks in a ie6.css that's included only for that browser. There are also other things to keep in mind, such as not using transparent PNGs in backgrounds of elements, etc.

It sucks, but it's possible to write standards compliant and performing websites that still work on IE6, it's just a major headache.

Re:This is shocking!

[jc42]

An exploit that works on a 9 year old version of the browser ... is hardly newsworthy anymore. What *is* newsworthy however, is why exactly Google of all people are still using it ?

Oh, I dunno; I've been doing some testing against IE6 lately. My motive is fairly trivial. I'm developing some Web stuff for an organization (which one doesn't matter here), and I did a bit of a survey to find out what browsers their people are using. IE6 turned up fairly high on the list. I've also sent announcements around to them inviting them to try out what I have running, and I collected the HTTP_USER_AGENT strings from all their requests from my server log. IE6 came up fairly high on that list, too.

So I have a copy of Windows, NT as a guest OS in a partition on my wife's Macbook Pro, and it has IE6 installed for testing. It's a pretty awful browser, but the customer's people are using it, so I try to at least make sure that everything is readable for them, if not always pretty. IE6 is why I eliminated frames from the prototypes.

It's "interesting" that the top browsers in this list are FF 3.5, IE8 and IE6. Chrome is rapidly sneaking up on them, though. Guess I'll have to install it, too.

(There are also a couple of people in the organization who aren't Web users because they don't have a computer. Can you imagine that? ;-)

Re:This is shocking!

[daveime]

Yes, fine, test boxes ... NOT production servers with access to the storage system where these bloggers details were stored.

Thank god I run IE4!

[Peter+Steil]

Seems like running IE4 on windows 95 has paid off....finally! Now if only active desktop worked properly...

In her defense..

[symbolset]

That admin has a hot rack.

"Aurora" IE Exploit Used Against Google in Action

[Proudrooster]

http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

Yawn, another unpatched MS browser exploit.

I hear there are several more for sale...

A Question

[koan]

I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet, the benefits versus the liabilities seem way out of proportion.
The fact that a bit of code can compromise governments is a strong indicator that no one really knows what they are doing in said government, and also begs the question why isn't Microsoft held liable for these issues? Why do we even use Windows for Government systems?
Hackers are cutting edge people, the government seems to be dwelling in 1990's tatics and security.

Re:A Question

I'm not a network engineer or very astute when it comes to security, but I have to wonder why we (America) have our electrical grid online (accessible from say Hainan China) or really any sensitive area online and accessible from the internet

It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

Re:A Question

[DeadPixels]

Have you seen any of the new IBM commercials? We have to "build a smarter electrical grid", and if that means connecting our generators to 4chan, then so be it!

Re:A Question

[Ziekheid]

It's not a strong indicator that no one really knows what they are doing per se. First of all there is a big difference between a private network that is cut off from the internet and contains access to a lot of very sensitive data and a public network with employees working with semi-sensitive data.
Beside that it will always be a cat and mouse game and the type of browser (despite IE6 being very bad) with all currently populair browsers in mind wouldn't make that much of a difference because people will always focus on popular targets and Firefox is no exception.
Why should Microsoft be held responsible for these issues?
It's your own choice to pick a browser and no browser on the market can guarantee to be 100% safe, it rather begs the question why people haven't upgraded from IE6 to IE8 yet.
I'm also pretty sure companies like Microsoft have made sure they are protected from liability suits when it comes to products like these.

Re:A Question

[tagno25]

It's more like the 6 degrees of Kevin Bacon. No matter how much you try to isolate some network it's still going to accessible to the internet... somehow.

unless there is no cable connection them to any device that has access to the outside world, USB ports and CD/DVD drives are disabled, you use security on the cables, and you do not run Windows.
If you connect ANYTHING that is not approved then you can be fired and then sued if anything happened because of it.

Re:A Question

[AHuxley]

IBM had monopoly issues, so they spun off their desktop to Microsoft via a trusted known, wealthy family name, Gates.
The sort of people who understand IBM dealing with ww2 Germany and medical clinics for the 'poor'.
Microsoft then went after schools and trained a generation of young dumb mouse clickers.
Sadly they have now grown up and infected most of the US network from point of sale to your power systems.
Some parts of your government do not trust MS, but then they do not trust you.
The benefits are an average American can point and click. Short term profit versus the cost of Unix ect help too.
As for liabilities? At first MS was not networked, a dos box printing or counting, or networked to a real OS.
Later everybody had a go at this cheap MS code thing and networked.
What the US saved in rapid cheap roll out they are now going to have to watch crumble or be taken over.
Dont worry MS has cloud computing and mobile grade back ups and real security now, Bill ect, said so.
On the flip side, MS selling is great for the US gov. As China shows, if google can be hacked via MS, what has the CIA, NSA, FBI ect been doing with its world wide 'telco' networks, 24/7 for many years?
As for your electrical grid, they respond to their shareholder needs, not you the consumer and MS was fine.
If it breaks, you will pay per year to upgrade.
If your lights are out and your CC number is misused, hire a lawyer.

Re:A Question

[DarkOx]

Why should Microsoft be held responsible for these issues?

As a principled person I see your point and I agree with it. I would point out though in practice that software companies are treated in-congruently with regard to liability.
 
Manufacturers of other goods are held accountable when safety equipment fails. IE has all sorts of "safety equipment" these days, pop up blocking phishing filters; the whole trusted untrusted sites thing goes back to IE6 and prior.
 
Suppose you got in a car accident and the airbag failed to deploy; I suspect you could have a very successful law suit against the automaker.

Re:A Question

[Grygus]

This is true, but the key difference is that people aren't mucking about with the latest installation of their airbag, and criminals aren't gaining access to peoples' cars without their knowledge and tampering with the airbag; in other words, if the airbag fails it's very likely the manufacturer's fault, they exercise almost total control over the system in the vast majority of cars.

Contrast this to computer security problems, which are sometimes the fault of the security provider (in this case Microsoft) but just as often (if not more often) is the result of user interference (people misunderstanding how the security system works or disabling security altogether) and malicious intent.

The real culprit isn't Microsoft, but the people who write malware; for some reason we don't spend much time blaming the criminal and we heap all our discontent on Microsoft. Maybe because they're the easy target here. At any rate, hopefully this shows why a lawsuit against Microsoft is illogical; they do not have sufficient control over the situation to prosecute them.

Re:A Question

[Short+Circuit]

...and then sued if anything happened because of it.

Even that's a tricky path to cleanly draw; How can you know that that USB keyfob didn't have something on it that exploited a flaw in the FAT filesystem driver, and leave a clock-triggered piece of malware? Safest bet for a known incident is to wipe and reinstall. There are ways of doing such things automatically. :)

So...

[fuzzyfuzzyfungus]

Who else suspects that Google is stepping up internal use of Chrome?

Internet Explorer 6 is older than the Euro

Next time somebody tells you that their organisation can't switch from Internet Explorer 6 because of legacy intranet applications, point out that virtually all of Europe switched from their own centuries-old currency to the Euro in less time than it's taking to get rid of Internet Explorer 6.

Re:Internet Explorer 6 is older than the Euro

[Darkness404]

The difference is benefits vs drawbacks. With the Euro, the county (especially the smaller countries) got a lot more buying power and therefore more wealthy for minimal risk. With switching from IE 6 the company will -lose- money, especially in the short term to change from IE 6 and get little in the long term. Why fix what isn't broken (in the eyes of management). All the management sees is that it would cost $10K to go from IE 6 to IE 7 for a savings of $0.

Re:Internet Explorer 6 is older than the Euro

[Grygus]

To be fair, the case we make for IE8/FF3/Win 7/whatever is the same spiel we gave them to get them to switch to IE6/FF2/Win 98. It's a never-ending treadmill, it's not surprising that they'd see the entire enterprise as a bottomless money pit and want to get off at some point.

Video of the Exploit in Action

[danielkennedy74]

The following links to an example of using this vulnerability in Metasploit to compromise a user's PC, in essence what happened to users at Google and some 30 other companies via bad actors assumed to be Chinese Nationals: http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/

IE6

[ZeroSerenity]

While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.

Re:IE6

[RobertM1968]

While it is writen to say could possibly be modified to work with newer versions of IE, I find that a little unlikely considering the more recent track record of IE's beefing of security. Unfortunately the people writing these articles tend to have bias towards IE as a whole and not just against the mess that IE6 was.

Really? What do you base that on?

- First, there have already been a ton of exploits for IE7 and IE8 - and even some patches.

- Second, Microsoft never seemed to say that IE7 or IE8 were not vulnerable. They very carefully said this instead:
"At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer.” – Microsoft.

That states there are other affected versions... but Microsoft hasn't seen attacks against them. I could care less what Microsoft has seen... they also "saw" XP and IE6 as secure (pre Service Pack 1).

It also means the other affected browsers are... IE4? IE5? IE7? IE8? I wonder which ones of those are the ones they are talking about? I could almost bet you that it's not a pre-IE6 browser that they are talking about.

Example?

[XanC]

Can you give us some of those "good reasons"?

Re:Example?

[Architect_sasyr]

Nobody attacks Firefox 2.x anymore, so it must be secure!!!1!!

Re:Example?

[eihab]

Can you give us some of those "good reasons"?

I can. I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

The software they used modeled their business and also ran their books (accounting, employee hours, etc.).

They were not a computer shop, and couldn't possibly fathom why they needed to upgrade their machines.

Their sentiment was: we paid $xx,000 for this software, and we can't even begin to imagine life without it. It's quirky and does some things it shouldn't do, but it works good enough.

I'm not saying it was the best solution to stay with what they had, but honestly, it did work and everyone (non-techies) were very proficient at it (they even learned the shortcuts for crying out loud!).

It's hard for us geeks to understand that people can run s*itty software and be "ok" with it. But they have different measures of what's tolerable and what is not, be it ROI, comfort zone or overhead of re-training staff.

And yes, they believed in the software so much that they shaped their business and processes around it. Sad, but it happens, everyday.

Re:Example?

[erlando]

The largest bank in Denmark has all its employees running IE6 on Windows XP. The reason? It will cost $XX million to modernize all the legacy mission critical only-running-on-IE6 software.

Re:Example?

[cyber-vandal]

IE8 requires at least XP. Firefox 3.5 requires at least Windows 2000. So you're completely wrong.

Re:Example?

[XanC]

I did some contracting work for a company before that ran some specialized software that cannot run on anything past XP.

Re:Example?

[eihab]

I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. ...

There are people out there who can't change for good reasons.

Can you give us some of those "good reasons"?

I can. I did some contracting work for a company before...

I'm not the GP/AC, I was chiming in about why some companies have their reasons to not change. It wasn't about which version of OS/browser anymore.

Re:Example?

[cyber-vandal]

I suggest you check your websites on firefox 2.xx. I was at a business this morning that still runs Windows 98 and firefox 2.xx. Their core application won't run on XP, OSX or Linux.

Apologies I made the mistake of not reading properly and thought you were responding to this one.

Re:MOD PARENT INSIGHTFUL

[CAIMLAS]

Try it... about 3 of the web pages in the world will actually display... Two of them are probably in Ugandan.

Sorta like irony. Sorta.

[Eil]

Anyone else find it amusing that Google has its very own web browser yet IE6 is apparently still widely deployed on their desktops?

Re:Sorta like irony. Sorta.

[dtml-try+MyNick]

Given the fact that the use of a web-browser is the main source of income for Google combined with the fact that IE6 still has a 10% market-share..
I'd be willing to bet that a shitload of people working at google simply need IE6 in one form or another to get their job done.

Re:Sorta like irony. Sorta.

[LordThyGod]

Not at all. This is the MS legacy: install XP, then install Firefox (Chrome, Safari, whatever). But you can't uninstall IE, and if you never use it, its sitting there at 6. And the exploit does not require actively opening the browser, just that its installed. One more reason to run away from anything from MS. How MS got away with claiming that the browser is so integral to the OS that it can't be uninstalled, is one of the great mysteries of the universe.

Re:Sorta like irony. Sorta.

[ColdWetDog]

Dear Mr. LordThyGod:

Your statement:

How MS got away with claiming that the browser is so integral to the OS that it can't be uninstalled, is one of the great mysteries of the universe.

Leads me to think that your Deity card needs to be revoked or significantly downgraded. If that is one of the 'mysteries of the Universe", how the hell are you going to deal with something complex like calculus? I really don't think you ought to be running things, sir. Would you step this way please?

Google just wanted to pick a fight with China

[cenc]

I can not believe that Google, with all of its vast resources and years online, that a few email accounts getting hacked all of sudden set them off to pull out of China. They are pretending to the press as if this is something special or new on the internet that China is doing, or that these couple of "attacks" from China are too much. Google has got to be just hammered by Chinese attackers, and they make it sound like no other gmail account has ever been hacked. I bet they get thousands of illegally hacked email accounts a day for all kinds of people, from all over the World, by all kinds of means. Hell, I blocked Chinese ISP blocks and cut down on my little server being attacked and spam by about half.

So, what in particular is suddenly special about this one in relation to China?

Re:Google just wanted to pick a fight with China

[Vicegrip]

Google had some of its IP stolen too. It's hard to do business in a country where the government has no qualms about stealing your stuff and hurting your customers.

Re:Google just wanted to pick a fight with China

[TheRaven64]

So? It's not like Google respects other people's IP either. They are engaged in several lawsuits currently for exactly this reason (ironically, one with China).

It doesn't matter which browser.

[MadMaverick9]

It doesn't matter which browser you're using ...

If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

Until users change their behavior and start using least-privilege accounts while surfing the web, it's wrong to blame the browser.

Microsoft even says it in their security advisory kb 979352: An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

And this applies to any OS: Linux, Windows, Mac OS, etc.

Rootkit - contrary to what its name may imply, a rootkit does not grant a user administrator privileges, as it requires prior admin access to execute and tamper with system files and processes.

Re:It doesn't matter which browser.

[dotwhynot]

It doesn't matter which browser you're using ...

If you're logged in as Administrator or a user with administrative user rights/access, while surfing the web, checking your email, etc. --> you're vulnerable.

I don't disagree with it being better not running as admin, but a lot of malware will live quite happily in your userspace. And if a user privileged account is compromised there are privilege escalation exploits to get admin level, for fx rootkit if that is what they are after. MS is on to something with the IE8 protected mode sandbox in Vista/W7, running with lover privileges than even normal user. But it's just one part of this puzzle.

This is a wise course

[symbolset]

As long as after work you keep your skills up on modern tech, taking the customer's money to do the stupid thing is a wise course. Advising them, giving the chance, telling them that it's stupid is the moral choice but if not asked there's no shame in doing what you can with what you've got.

Actually there's an opportunity here - but I'm not going to enumerate it because then you'll be competing with me.

"the attack is very reliable on IE 6"

[Arancaytar]

YES. Finally.

Kill IE6. Kill it with fire.

bad aim?

[CaptainNerdCave]

every time i shoot at funny, all i hear is whoosh

Comment removed

[account_deleted]

Comment removed based on user account deletion

Stupid

[omb]

This is such a dumb American attitude, I hope your Company can work without its intellectual property and computer systems. I assume you dont have insurance as well!

Maybe he is a she?

[SmallFurryCreature]

Everyone knows girls need longer.

So you are the one

[SmallFurryCreature]

So you are the one that has sales demanding we support old browsers.

Right men, we got its location, capture is imminent.

Anyone want to set up a poll what do with him?

It better have a cowboyNeal option.

Shrug, okay, lets make it secure.

[SmallFurryCreature]

Making a country secure is easy.

Everyone mandatory implanted ID that can't be removed or altered without dying, say a chip implanted in the brain that extends barbs.

Tracking posts everywhere. All travel recorded and logged.

1 computer system, can only be activated with ID. No 3rd party software let alone your own stuff, every access is recorded and logged for 10 years minimum.

Should I go on? It is easy to implement and will eliminate all security problems. Feel free to take these ideas for when you run for election.

Security is easy, freedom and security ain't. To be honest, I prefer my government to be a bit slow and inefficient. The alternative is far more scarier.

People are so upset about that illegal immigrant who got shot on the tube when he tried to run. I would be far more worried if that guy had NEVER been able to make it into the country or if they had shot the right guy with a sniper efficiently. The whole mess shows there is still freedom. Freedom to get shot for sure, but also the freedom for journalists to still find leaks.

I really hope they posted it...

[indros13]

...to code.google.com.

Re:Another odd one.

[eihab]

Seems like they shouldn't care about GIMPs name, or OOo's lack of the dirty corners of Office.

They don't, it's all about the business case. Most graphic designers coming out of school nowadays are accustomed to Adobe's suite of tools (Photoshop/Illustrator, etc.), and to a company dropping $4000-5000 on a Mac+CS4 is nothing compared to the hours of lost productivity that a designer would spend getting up to speed and working around GIMP.

OOo on the other hand and older versions of MS Office stop being attractive when you try to send editable word documents to clients. Once one of your big clients switches over to Office 2007 you pretty much have to as well.

The only way for OOo to get a strong hold in the small/medium business world, is if they achieve very high compatibility with MS Office, which (knowing Microsoft) will be a very hard thing to do.

Just my 2 cents.

Fear, the Patch Tuesday of the Mind

[nightcats]

I'm a para-geek (a tech writer, actually), so don't understand the technical aspects of this. But I do sense the well-known fear that keeps products like IE6 running over corporate LANs. As I said in this post:

...the corporate mind is going to have to learn some courage if it is to discover its conscience. “Do no evil” (Google’s motto) is not enough, even if its intent is genuine. Aversion betrays an underlying fear; it is the software patch, the unending trail of ineffectual security updates, of the mind. It would be far better to simply say, “do what’s right.”

Microsoft - By Idiots for Idiots

[dogzdik]

Microsofts greatest innovation is to steal it. Haaaaaaaaaaaaaaa Haaaaaaaaaaaa Haaaaa And their totally SHIT browseR/s.... I have more security if I pull down my pants and hang my bare arse out of a tree at night in the park. LOSERS. I hate microsoft - I hate microsoft - I hate microsoft.... Traaaa Laaaaaa Laaa Laaaaaaaaaa