Slashdot Mirror
Microsoft To Issue Emergency IE Patch
CWmike writes "Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said, as it also admitted that attacks can be hidden inside rigged Office documents. 'We are planning to release the update as close to 10:00 a.m. PST as possible,' said Jerry Bryant, a program manager with the IE group. Microsoft has updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."
A: A good start!
Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7
"Windows 7: with multi-core optimisations and improved app performance, be compromised faster than ever before!"
It should have been called a band-aid (over a gaping hole in the chest cavity.)
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Reat that the attack targeted Perforce repositories. Haven't heard if any other source control systems were targeted.
Pretty clever way to gather intellectual property; I'd never considered it before, but for many companies if you can download their repository data then you have their crown jewels.
Is it still an emergency since its been some time now since the vulnerability was made public? The best patch is to use a different browser
"Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said as it also admitted that attacks can be hidden inside rigged Office documents. '
Now to be 100% compatible with Microsoft Office, the OpenOffice developers have to work day and night to get this bug/hole/exploit to work exactly the same way in OpenOffice too. I have heard OpenOffice people bitch and moan, "Microsoft keeps changing file formats and APIs deliberately forcing us to do so much of work catching up", now I sympathize. I understand how difficult it would be to code up a gaping security hole that works exactly like it does in the De-Facto Standard.
That brings up another issue. The ISO committee now has to redo the standards to allow this exploit into the OOXML-is-standard-too document. But fortunately the 6000 page standard definition was already in the form of a doc file with this specially crafted backdoor in place. So Microsoft was able to step in, do the modification needed, and set the flags to erase all evidence of the edit and exit. The committee chairman Soldou Tothem expressed his gratitude to Microsoft and complimented their foresight in incorporating such back doors into the standards document.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
....I've already moved on to using Firefox 3.5.7 and Chrome 3.0.195.38 as my primary web browsers. The reason is simple: IE 8.0 is dog slow at times in web page rendering.
It only shows that warnings are never heeded when coming from the insiders and professionals. It takes global companies and several countries to ring the bell for MS to step up and patch exploits faster...
It's not really news that lots of exploits could (and probably were) abused for espionage (both corporate and international). But only now that 'teh evil chinese' are happily hacking along some action is taken.
This is exactly the kind of problem that could be avoided by listening to security experts.
Thanks M$ for giving a crap about the security of users, companies and countries... You're a few years too late stepping up the game, but please keep it up, we might as well have security as an afterthought instead of no security at all.
Comment removed based on user account deletion
More information about this story can be found here.
I am officially gone from
Microsoft source code is out there somewhere - some was stolen and out on the internet at one point. Isn't some of it also available to certain partners? It wouldn't surprise me if these hacker groups had copies of the source code and a library of exploits to use that nobody else knows about.
Are you suggesting that having access to the source code makes it easier for these hacker groups to find exploits?
Better keep that kind of blasphemy to yourself. It won't make you many friends around these parts.
From my understanding, every version of IE is vulnerable to the exploit, however not every install of IE is vulnerable. There are claims that "IE8 with DEP on" is vulnerable, but it says nothing about the combination of DEP and UAC.
http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17&pageNumber=2
Essentially, if you're using back versions of the operating system and don't keep updated, you're vulnerable. What makes this exploit different from a lot of others is that it has such a large attack surface. However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.
Microsoft has given the Chinese government preferential access to the Windows Source code. They even set up a lab of security researchers to look for vulnerabilities in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
As I recall, the Chinese government has access to the Windows source code. Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows.
While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was.
For geek dads: Contraction Timer
It merely shows yet another weak point in closed source development model -- if the code is leaked or given to bad guys, they can thoroughly analyze and exploit it while good guys can't do anything about it -- they have no legal means to obtain and analyze the code.
Open source development model does not, of course, have such issues with source code in the wild. Black hats can look at the code in both cases, but open development model is better because it easily allows white hats to have a good look too.
Yet another example that security through obscurity won't work, nothing really new here.
Microsoft has given the Chinese government preferential access to the Windows Source code. They even set up a lab of security researchers to look for vulnerabilities in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.
So essentially, it's NSA vs. China's group in a bughunt competition, and few if none of our "allies" can help, including MS.
Us versus them, the Red menance. What can we do about THEM? What can we do TO THEM?
From Wikipedia:
Oran's Dictionary of the Law (1983) defines treason as: "...[a]...citizen's actions to help a foreign government overthrow, make war against, or seriously injure the [parent nation]." In many nations, it is also often considered treason to attempt or conspire to overthrow the government, even if no foreign country is aided or involved by such an endeavour.
msft
Et tu, Brute?
Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."
Google: Hey! We think the Chinese did this!
Security Experts (so-called): Hey! You're right! In fact, we now have evidence that the Chinese did this heinous crime!
Google: Wait! We think that someone in Poland helped out!
SE(S-C): Hey! By golly, you're right again! In fact, we have even more evidence that the Chinese were helped by those crafty Poles!
Google: Wait! We think that the same dudes who tapped into the Predator video-feed also had a devious hand in this!
SE(S-C): Hey! You're really batting a thousand! In fact, we just now received a cached download of the streaming video of Osama bin Laden's laptop showing him punching the buttons!
Google: Yay! Now we can go to the peoples of the world with all this wonderful proof that we don't do evil; evil is done to us!
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
The MoD in the UK has had access to the Windows sourcecode since at least NT4, and so GCHQ probably has people looking at it too. Note, however, that this license does not give them the right to compile their own binaries, so even if they find a bug, they can't fix it. All they can do is use it to attack other people, while remaining vulnerable to it. Makes you wonder why they still use Windows, really.
I am TheRaven on Soylent News
Per my subject-line above, & this quote from yourself next below - well... I'm sure you've all heard of considered what I stated above before, but... here goes:
"Microsoft source code is out there somewhere - some was stolen and out on the internet at one point. Isn't some of it also available to certain partners? It wouldn't surprise me if these hacker groups had copies of the source code and a library of exploits to use that nobody else knows about." - by mikem170 (698970) on Thursday January 21, @08:20AM (#30844862)
You're probably correct on that note, & THAT is the truly dangerous part... the things that we do NOT know about (yet).
(Still, it does have its merits, in those that do "hacking/cracking", in "black hats" as they're commonly referred to as (as well as those who are considered "white hats" also) - BOTH parties I refer to do a good thing, in that they BOTH point out what needs "shoring up")...
APK
P.S.=> Still, per your statement, & what I noted in my subject-line? Think this doesn't "work against" what's commonly called "Open Source" (pardon my 'pun'/joke above in my subject-line, because OPEN SOURCE per your very ideas? It really COULD be referred to as "OPEN SORES", & for the EXACT SAME REASONS YOU NOTED really!
(However, of course? Open Source also helps for making patches faster & from MORE FOLKS since more folks have access to the actual sourcecode of any Open Source app too - yes, it's a real "double-edged sword" type situation, for BOTH closed source & open source))... apk
http://tech.slashdot.org/comments.pl?sid=1518574&cid=30847474
We think much the same, per what I stated in response here in that URL above, & per what you wrote which I will now quote:
"While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was." - by Judebert (147131) on Thursday January 21, @09:35AM (#30845578) Homepage
Per my subject-line above, as well as the URL I just posted on this very same subject? We think greatly alike... (not that I consider myself a "great mind", as I only used that old adage to prove my point here... which is, in utter agreement with that which I quoted from you!)
Now, of course, @ least YOU have the "presence of mind" to realize THAT that which I stated also can "hold true" which is the opposing viewpoint you note - however, I do utterly agree that "Open Sores" (lol, just a joke, I don't want Mr. Stallman "coming down on me" here, OR, any of the "Pro Open-Source crew" doing so either, etc. / et al) does lend itself to MORE FOLKS BEING ABLE TO SPOT & REPORT ON, IF NOT PATCH THEMSELVES (well, provided they have a knowledge of programming that is)...
APK
P.S.=> Also per this statement from you:
"As I recall, the Chinese government has access to the Windows source code. Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows." - by Judebert (147131) on Thursday January 21, @09:35AM (#30845578) Homepage
Well... also in that URL above where I replied much along the SAME LINES/TRAIN OF THOUGHT as you have, Judebert? I feel that black-hat "hacker/cracker" types (alongside white hatters too mind you) do the world a "favor", albeit in the case of blackhats, unintentionally (mostly), & I noted it in that URL above: THEY POINT OUT WHAT NEEDS "SHORING UP" & IMPROVING!
("Big Fan" here of this old adage too -> "When life gives you LEMONS? MAKE LEMONADE!" - in other words? In every "bad", there's a GOOD too)... apk
Parent is totally right. There are certainly a lot of closed source programs which are written like crap. Many companies don't really care about security in their products as long as there are no vulnerabilities disclosed. When there are, they will (of course) provide a patch. That way, it looks like they care, while in fact they don't. If a bad guy can take a look at the code, he can probably find tons of vulnerabilities and exploit them without someone ever noticing it.
I have seen this situation especially in industrial embedded systems... machine controllers are accessible over the internet, authentication is done over a proprietary protcol and the server code looks like it was written by someone who learned programming with a 10min "how-to".
If only they would stop issuing patches and updates for IE6 and earlier, then we could get on with dropping all support, everywhere, for this POS browser.
Yeah, right.
This is not quite off-topic. I have attempted to post the reports that Google has backed down in China and re-enabled search result filtering in Google.cn in the last two days, but /. editors keep refusing to put it in the front page. Right, how can we criticize our new found American hero defending the precious "freedom"? How can a hero backing down to the evil China? Hero can't make fundamental principle error, or you are not allowed to know when it does. Can someone find a way to post this report?!
Microsoft has given the Chinese government preferential access to the Windows Source code
It's not "preferential". Any government can get Windows source code for security analysis under the Government Security Program - it's just that Chinese were the first to jump on that bandwagon (it should be noted that there were similar programs in place before GSP, so China was only the first in GSP, not the first to get access to Windows source code in general).
Also, universities can (and do) get access to the source code for study and research purposes.
With this I completely agree. I furthermore think they should completely discontinue support for Windows XP. I'm at a huge fight in our organization at the moment regarding the move to Windows 7. I'm getting met with a lot of resistance when we don't actually have an excuse to stick on XP. We already pay for the licensing for 7....
Sorry to reply the fp but the patch is ready, The Win update just pestered me to update for this one on a win2k install.
It's not "preferential". Any government can get Windows source code for security analysis under the Government Security Program
It's preferential over my company which (like most others) does not have this access and cannot use that as a benefit.
- it's just that Chinese were the first to jump on that bandwagon (it should be noted that there were similar programs in place before GSP, so China was only the first in GSP, not the first to get access to Windows source code in general).
I'm fully aware that the NSA also had preferential treatment (look up "NSA Key" on Google some day) and that any other government can now arrange the same in principle. However, apart from the US, where Microsoft comes from, this was not previously being extended to other places. Then China started threatening to use Linux and the source code access was set up specifically for them. It's not an accident that they were first in. It was their deliberate choice to get a head start.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
It's preferential over my company which (like most others) does not have this access and cannot use that as a benefit.
Well, my point was that China in particular didn't get preferential treatment. Government organizations in general do, yes, but there are still many of them (note that a particular government organization may also get the code for its own internal use, not necessarily the government as a whole).
Also, there is a similar program for companies. It would cost you a lot (since you need to have 1500 licensed Window seats under an "enterprise" support agreement - I don't think you'll need the actual physical seats, though), so yes, it is discriminative, but nonetheless, if you want the source, you can still get it.
I'm fully aware that the NSA also had preferential treatment (look up "NSA Key" on Google some day) and that any other government can now arrange the same in principle. However, apart from the US, where Microsoft comes from, this was not previously being extended to other places.
This is incorrect. For example, Russian government conducted security analysis (and certification) of Windows XP & 2003 source code in 2003, under the GSP. In fact, it seems that my previous statement that China was first to use GSP is incorrect, since the article claims Russia to be the first one to do so.