Slashdot Mirror
Microsoft To Issue Emergency IE Patch
CWmike writes "Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said, as it also admitted that attacks can be hidden inside rigged Office documents. 'We are planning to release the update as close to 10:00 a.m. PST as possible,' said Jerry Bryant, a program manager with the IE group. Microsoft has updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."
Affected Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7
"Windows 7: with multi-core optimisations and improved app performance, be compromised faster than ever before!"
Reat that the attack targeted Perforce repositories. Haven't heard if any other source control systems were targeted.
Pretty clever way to gather intellectual property; I'd never considered it before, but for many companies if you can download their repository data then you have their crown jewels.
Is it still an emergency since its been some time now since the vulnerability was made public? The best patch is to use a different browser
"Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said as it also admitted that attacks can be hidden inside rigged Office documents. '
Now to be 100% compatible with Microsoft Office, the OpenOffice developers have to work day and night to get this bug/hole/exploit to work exactly the same way in OpenOffice too. I have heard OpenOffice people bitch and moan, "Microsoft keeps changing file formats and APIs deliberately forcing us to do so much of work catching up", now I sympathize. I understand how difficult it would be to code up a gaping security hole that works exactly like it does in the De-Facto Standard.
That brings up another issue. The ISO committee now has to redo the standards to allow this exploit into the OOXML-is-standard-too document. But fortunately the 6000 page standard definition was already in the form of a doc file with this specially crafted backdoor in place. So Microsoft was able to step in, do the modification needed, and set the flags to erase all evidence of the edit and exit. The committee chairman Soldou Tothem expressed his gratitude to Microsoft and complimented their foresight in incorporating such back doors into the standards document.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
....I've already moved on to using Firefox 3.5.7 and Chrome 3.0.195.38 as my primary web browsers. The reason is simple: IE 8.0 is dog slow at times in web page rendering.
It only shows that warnings are never heeded when coming from the insiders and professionals. It takes global companies and several countries to ring the bell for MS to step up and patch exploits faster...
It's not really news that lots of exploits could (and probably were) abused for espionage (both corporate and international). But only now that 'teh evil chinese' are happily hacking along some action is taken.
This is exactly the kind of problem that could be avoided by listening to security experts.
Thanks M$ for giving a crap about the security of users, companies and countries... You're a few years too late stepping up the game, but please keep it up, we might as well have security as an afterthought instead of no security at all.
Comment removed based on user account deletion
In Microsoft "it's not an emergency, it's an..." parlance, that would be an out-of-band-aid.
If you were blocking sigs, you wouldn't have to read this.
From my understanding, every version of IE is vulnerable to the exploit, however not every install of IE is vulnerable. There are claims that "IE8 with DEP on" is vulnerable, but it says nothing about the combination of DEP and UAC.
http://www.computerworld.com/s/article/9145958/Researchers_up_ante_create_exploits_for_IE7_IE8?taxonomyId=17&pageNumber=2
Essentially, if you're using back versions of the operating system and don't keep updated, you're vulnerable. What makes this exploit different from a lot of others is that it has such a large attack surface. However, from what I'm gathering, the default Windows 7 install with IE8 should be safe from any attacks. As soon as you start disabling technologies (UAC, DEP)--you will run into problems.
Microsoft has given the Chinese government preferential access to the Windows Source code. They even set up a lab of security researchers to look for vulnerabilities in the code. I don't think leaks onto the internet have anything to do with it. It's kind of like all the possible disadvantages of OSS with none of the advantages.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
As I recall, the Chinese government has access to the Windows source code. Google's been claiming that the Chinese government launched the attacks, and security experts have backed them up. The obvious conclusion is that having the source gave the Chinese government the opportunity to develop a new attack against Windows.
While some might see this as an argument against Open Source security products, I see exactly the opposite. The closed source made it possible for the only party with the source to gain an advantage. In products where the source is available to everyone, there is no advantage to any party. Therefore the holes are found and sealed, instead of left to fester, like this one was.
For geek dads: Contraction Timer
It merely shows yet another weak point in closed source development model -- if the code is leaked or given to bad guys, they can thoroughly analyze and exploit it while good guys can't do anything about it -- they have no legal means to obtain and analyze the code.
Open source development model does not, of course, have such issues with source code in the wild. Black hats can look at the code in both cases, but open development model is better because it easily allows white hats to have a good look too.
Yet another example that security through obscurity won't work, nothing really new here.
The MoD in the UK has had access to the Windows sourcecode since at least NT4, and so GCHQ probably has people looking at it too. Note, however, that this license does not give them the right to compile their own binaries, so even if they find a bug, they can't fix it. All they can do is use it to attack other people, while remaining vulnerable to it. Makes you wonder why they still use Windows, really.
I am TheRaven on Soylent News