Widespread Attacks Exploit Newly-Patched IE Bug

← Back to Stories (view on slashdot.org)

Widespread Attacks Exploit Newly-Patched IE Bug

Posted by Soulskill on Saturday January 23, 2010 @03:01AM from the of-fish-and-barrels dept.

itwbennett writes "The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name." Relatedly, reader N!NJA was among several to point out that Microsoft has apparently been aware of this flaw since September.

102 of 141 comments (clear)

Min score:

Reason:

Sort:

kind of makes you wonder by v1 · 2010-01-23 03:12 · Score: 5, Interesting

in TFA: The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S.
Kinda makes you wonder just how many of these critical security bugs IE currently has in their queue to be fixed "sometime in the near future"?
And at the same time you have to wonder just how nasty some of the others are that haven't made the cut yet, just waiting to become the next "zero day we own your computer, again"? We see how big of an issue this is, and MS was clearly in no hurry to fix it, so you'd have to assume that there are at least a few more of these that they know about and aren't fixing yet.

--
I work for the Department of Redundancy Department.
1. Re:kind of makes you wonder by BartholomewBernsteyn · 2010-01-23 04:10 · Score: 5, Insightful
  
  That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw. Until he does, you can do nothing but become increasingly concerned, since you're left to the increasing danger of having your machine compromised in the meantime. This might be the right time to educate people about the main merit of open source software: As soon as a security hole is discovered, virtually anyone can contribute to a timely resolution. 0day? Fixed tomorrow!
2. Re:kind of makes you wonder by Runaway1956 · 2010-01-23 04:36 · Score: 2, Insightful
  
  "Kinda makes you wonder" if it's another slow news day. I mean, how many people did NOT see this coming? Even Joe Sixpack probably had this figured out - assuming that he even watches the evening news. Wait - maybe I'm getting senile. Joe stopped watching the news when he figured out how to schedule his programming around ESPN, More Gore Television, and Hot Chicks After Hours.
  Phhht. Maybe this IS news to part of the world?
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
3. Re:kind of makes you wonder by Penguinisto · 2010-01-23 04:36 · Score: 3, Insightful
  
  I'm the last guy you can accuse of being a Microsoft fanboy, but let's be fair on at least one aspect: it is helpful if the patches do their job (closing the hole) without breaking functionality (especially with enterprise software, where Microsoft counts its biggest customers).
  I agree perfectly that it is a fundamental flaw in proprietary software to have potentially exploitable vulns that only, say, Microsoft and maybe the script kiddies know about. I further agree that failing to disclose them prevents users from implementing some sort of work-around (depending on severity, blocking certain script actions at the proxy, implementing certain GPO actions to mitigate damage, etc). OTOH, most of Microsoft's customer base wouldn't even know what a work-around is (aside from just using a different browser, which is probably not what you'll see Microsoft recommending).
  The nasty stuff is lurking in there, certainly. Whether the bad guys know about it and can actually use it is another matter. I personally subscribe to the philosophy of full disclosure - it is better that everyone using the product know about flaws in it, if only to protect themselves. OTOH, I can see and appreciate (though not quite agree to) the opposite tack of limiting fields of research for the bad guys, as evidenced by the bad guys' habit (among others) of sifting through patches to find the flaws... where I part ways is in knowing that the patch-sifting is only one of many tools in which to find vulns. Whether it is the most popular method or not, I do not know.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
4. Re:kind of makes you wonder by X0563511 · 2010-01-23 04:58 · Score: 3, Interesting
  
  I like to think that the code for IE is so horribly mangled that it takes a solid month to get the thing to build (including compile errors, stupid typo bugs, compile time, compiling for all the different windows configs, etc)
  It makes me feel nicer that it could just be a shitty project, rather than just shitty people.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
5. Re:kind of makes you wonder by b4dc0d3r · 2010-01-23 05:06 · Score: 5, Insightful
  
  I'm a software developer. I have a list of things I need to fix, some things are higher priority. We set a date, and work as many patches as we can toward that date, into a single release or patch. Makes it easier to test when you bundle several things together, and can test 5 patches with a single test case instead of individually. That makes the cycle more efficient.
  Now, a large company would have more patches, and more would be high priority. So they fix what they can, that makes sense. Open the bug list, sort by priority, own one (or get assigned one). To the developer, this is just one of several (hundred?) problems on the list. Management has to increase the priority based on input from triage.
  The entire world might know a defect is a security vulnerability, but if it's not made clear to the triage guy, it will sit as "possible denial of service" medium or medium-well priority until the known vectors are taken care of.
  Thinking about it this way makes Microsoft's blunders understandable. Not forgivable of course. My customer sends me a bug report and says "gwah, you're exposing my entire database to everyone fix it now or face a lawsuit!!!!eleventy". I say, let's take a look, we find out that yes you can see the entire data set - after you enter your credentials and only while on your company's network, and you just sent a mail to your competitor with your credentials in it. Change your password, WONTFIX. In other words, MS has to have good info in order to decide how to prioritize.
  At the same time, they have to keep their customers and shareholders happy, so while the triage guy says "this is the worst bug ever in the history of everything and it needs to be fixed yesterday" the company itself says to the employee "sure, but follow all processes and have it reviewed and put it in the next patch cycle and we'll test all of them next week and prepare for a release next week."
  Then to its customers and shareholders it says "A small, hard-to-exploit exploit has been found and even though ASLR and DEP and sandboxing are in place, someone might after a million failures be able to exploit this exploit so we've decided to be proactive and fix this exploit. We haven't heard of anyone exploiting this exploit, but we didn't really ask any of our friends in the malicious software industry - but that was just because we didn't want to tip our hand. Your security is, after all, very important to us. Exploit."
  In short: there are more than we'll ever know.
6. Re:kind of makes you wonder by Opportunist · 2010-01-23 05:12 · Score: 1
  
  Unfortunately you're right, from a manager's point of view. Security, for them, is nice to have, but it must not get in the way of a smooth workflow. It's not "how secure is my system" but rather "how much does it cost if there's a leak and how likely is it to happen". It does simply not matter to them that they're insecure, as long as the data loss vs. its likelyness to occur comes out on top of the cost (be it direct, i.e. having to buy something, or indirect, i.e. hampering workflow and productivity), security is simply not seen as important.
  Not even goodwill loss matters. A company lost your private data? Fffft. Does anyone care? Look, Lady Gaga has a new album out!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:kind of makes you wonder by cheftw · 2010-01-23 05:28 · Score: 2, Funny
  
  The attack installs a Trojan horse program that is able to bypass some security products
  I don't see why you're so worried, this obviously refers to the equestrian unit.
  
  --
  Always back up, never back down. ---- Think you're cool 'cos your uid is prime? Take mine, modulo the one digit integers
8. Re:kind of makes you wonder by mpe · 2010-01-23 05:35 · Score: 5, Insightful
  
  That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw.
  
  Or even admit that there actually is a flaw. Microsoft were told about this months ago and there's no reason to believe that the first person to find a flaw with be a "white hat".
9. Re:kind of makes you wonder by __aaqvdr516 · 2010-01-23 05:58 · Score: 1
  
  Now that was extremely well put.
10. Re:kind of makes you wonder by rtfa-troll · 2010-01-23 06:03 · Score: 2, Interesting
  I really would be interested to know this too. It's a fairly big coincidence that Chinese hackers should happen to be using the same exploit as was in the MS security queue. The two likely explanations that occur to me are:
  
  China has access to the exploits to fix queue and has used that to develop their zero day exploits.
  
  The White hat hacker got the exploit from watching an attack
  
  either thing sounds quite bad for Microsoft. The first means their queue security is inadequate and that's a really big problem for the policy of responsible disclosure they try to encourage. The second thing is more serious because it means Microsoft failed to fix or inform about an hole which was actively being exploited. In this case the question is whether the white hat declared to Microsoft how he came about his exploit.
  Anyone have a better explanation which doesn't involve such a coinicidence?
  --
  =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
11. Re:kind of makes you wonder by Zero__Kelvin · 2010-01-23 06:23 · Score: 3, Funny
  
  "It makes me feel nicer that it could just be a shitty project, rather than just shitty people."
  There is no reason why they can't live together in unison.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
12. Re:kind of makes you wonder by westlake · 2010-01-23 06:41 · Score: 2, Interesting
  
  That is the main problem with closed source software; in the event of a security hole, you as a customer / company are left to the mercy / arrogance of your software vendor to patch the flaw. Until he does, you can do nothing but become increasingly concerned...
  0day? Fixed tomorrow!
  You can patch only what you know how to patch.
  In 2008 there were between 6 and 10 million lines of code in the Linux kernel alone. Linux Kernel Surpasses 10 Million Lines of Code
  In 2003 OpenOffice.org had 9 million lines of code. Build FAQ for OpenOffice.org
  You can only test your patch only on systems you can access.
  That your home-brewed solution is seriously flawed may only be discovered by your neighbors.
  The next time they load a JPEG from your site.
  As soon as a security hole is discovered, virtually anyone can contribute to a timely resolution.
  Most likely by staying out of the way.
  There is the final problem of how to roll out a patch. The naive end-user who auto-patches was spared Cornflicker.
  Secunia integrated with Microsoft WSUS
13. Re:kind of makes you wonder by Ifni · 2010-01-23 07:06 · Score: 2, Interesting
  
  Not to spark a conspiracy theory, but how much do you suppose some over-worked, under-paid, and under-appreciated Microsoft employee was paid by an agent of the Chinese government to provide this flaw from the list of yet to be addressed flaws? How much money do you think there is in selling these exploits in major software products to enemies of the state? I'm not implying that Microsoft does this intentionally, but I can see how their cavalier attitude can certainly create such an opportunity for Microsoft employees in the know. This should certainly be looked into by law enforcement officials to make sure that such leaks don't actually exist.
  
  --
  Oh, was that my outside voice?
14. Re:kind of makes you wonder by Reaper9889 · 2010-01-23 07:07 · Score: 1
  
  That is not really true. You, as a outsider, will need some time to understand the code and what is causing the error before you can fix it. That will take time and you can bet (for everything, but the smallest pieces of software) that it won't be "Fixed tomorrow".
  I suppose you could find someone who knows the code and throw money at him to fix it, but I suspect you could do the same with Microsoft, if you cared enough about the problem (but proberly quite a bit more expensive).
  I expect to be modded down for this (old, but what you said is the conventional wisdom on /.).
15. Re:kind of makes you wonder by ppanon · 2010-01-23 07:10 · Score: 3, Interesting
  
  China demanded the source code to Windows years ago and Microsoft gave it to them. I don't think it's a complete coincidence that China has been pushing Red Flag Linux internally. By now they know the bugs in Microsoft Windows and have multiple exploits ready for use, and they have backdoors in Red Flag so they can spy on their own people. If they ever get into a cyberwar with the US, you had better be running something other than Windows.
  
  --
  Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
16. Re:kind of makes you wonder by Foredecker · 2010-01-23 07:12 · Score: 1
  
  Sorry to pop your fantasy bubble, but IE, Windows, Office, Visual Studio and pretty much everyting else we ship build every day. That includes all the flavors: release, checked (debug), 32-bit, 64- bit, Itanium (yes, we still build that), and several languages. The build pretty quickly to - usually just a few hours. This is from 100% source to a fully installable product.
  With few exceptions, the code base is very 'clean'. That's true for most our products as well. For example, we have what we call 'MQ' phases of a project where we do nothing but clean things up. Of course, nothing is perfect: one thing great about code is that it can always be better. Thats true for our code, and others as well.
  So are you are calling people at Microsoft shitty? If you are than Ill ask you this: Really? Is that the best you can do? Name calling? Okey dokey then...
  
  --
  Jibe!
17. Re:kind of makes you wonder by Dilligent · 2010-01-23 07:38 · Score: 1
  
  Mod parent up, exactly my thoughts as a Software Developer as well.
18. Re:kind of makes you wonder by myspace-cn · 2010-01-23 07:54 · Score: 2, Interesting
  
  Isn't this just an argument for Microsoft's removal of FTP server updates and no "out of band" patching, and to only release "scheduled patching" (All this as I recall back at a time when Microsoft said they were going to enhance security from these changes)
  Since that time shit has rolled downhill.
  Does the Secunia warning on IE get ignored because of Microsoft's enhanced security policies? Or is it because removing IE's activeX breaks WGA?
  Personally I'd love to see tools for XP which allow removal and install of IE6,7,8 regardless of install state or service pack.
  I'll bring it back to pro tools, why can't you remove IE8 and install IE7 once your shit is slipstreamed SP3? While I would target the IE for the tool I need, other's might just want to remove IE altogether from their system for stability and security. Good luck if your OS has IE 8 to begin with.
19. Re:kind of makes you wonder by bug · 2010-01-23 08:21 · Score: 2, Informative
  
  Security firm eEye used to keep a long list of Internet Explorer vulnerabilities that they had reported to Microsoft, but Microsoft hadn't developed patches for. eEye's list tracked how many months, or even years, Microsoft had known about the vulnerabilities without releasing a patch. A few years ago, under pressure from Microsoft, eEye agreed to take their list down. Microsoft happens to be a big customer of eEye's, and presumably is responsible for a lot of eEye's revenue. This has been fairly typical behavior for security firms that have signed lucrative contracts with Microsoft over the last few years, and one wonders how much of this type of thing is merely hush money.
20. Re:kind of makes you wonder by AHuxley · 2010-01-23 11:47 · Score: 1
  
  Anyone have a better explanation which doesn't involve such a coinicidence?
  NSA, CIA, FBI liked the holes too, masking their online intel gathering/planting/tracking under the cover of semi pro script kiddies.
  It takes time for the next gen of long term useful holes to be found, examined and rolled out in the field. Would MS hold off on a patch for many ongoing investigations?
  MS is one big honeypot, everybody uses it, everybody gets in.
  From UFO hunters, to the feds, to Communist party members.
  As for security and MS, their ideas are adequate for consumer computing.
  If you need more, you can pay more and MS has a per core, per seat solution for you.
  Never let your wealthy customers get away with using low end consumer products.
  
  --
  Domestic spying is now "Benign Information Gathering"
21. Re:kind of makes you wonder by nev_ski · 2010-01-23 12:31 · Score: 1
  
  A scary thought but true nonetheless
22. Re:kind of makes you wonder by mindstrm · 2010-01-23 14:10 · Score: 1
  
  One good virus outbreak that takes the entire enterprise down for 36 hours and not fully back up to speed for about a week tends to open up the management coffers to stricter IT policies to prevent such things from happening in the future.
23. Re:kind of makes you wonder by X0563511 · 2010-01-23 17:52 · Score: 1
  
  So then, what is the justification for such bugs "laying" around for so long? Perhaps you are doing something. What then? You are a black box to 99% of the people out there, some indication of activity on the issue would probably be appreciated.
  All we can see is: bug gets noticed, and - maybe - it gets fixed in a few weeks, a month, maybe longer.
  Can you really fault us for having this opinion, if you look from our perspective?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
24. Re:kind of makes you wonder by Foredecker · 2010-01-23 21:59 · Score: 1
  
  Im not on the IE team so I cant speak to specifics. But here is what I know. Finding and fixing security bugs is the highest priority on every developers plate. When we learn about one in code we own things stop, we triage it, and we come up with a plan to fix it.
  Often that plan is executed pretty quickly (sometimes even days...). Other times it takes longer. The reason is that almost none of these issues are easy to fix. Many of them must be done carefully so as not to break things or cause other security bugs. There is also some pretty extensive regression testing and review involved before we ship a fix.
  Note, this isnt any different from Linux, Apache, Firefox or other widely used FOSS software. Even Linux has latent bugs that have been there a long time and only recently fixed. Here is one. The maintainers of these products are diligent, responsible and work hard to fix security bugs - just like Microsoft teams.
  Did you actually look at the Microsoft Security Bulletin Page? Its really easy to find. We go to great lengths to get these out. You can get them on an RSS feed, via instant messaging, texts to your cell phone, and via email. What more do you want?
  Did you read the page on how we monitor and manage vulnerabilities? Mmm... seems pretty professional to me.
  Note that Mozilla guys dont publicize every security bug either. On their very professional security policy page they say this (excerpted, read the page for the full context...):
  
  Full information about security bugs will be restricted to a known group of people, using the Bugzilla access control restrictions described above. However that group can and will be expanded as necessary and appropriate.
  
  As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny.
  
  ... The Mozilla security bug group will have a private mailing list, security-group@mozilla.org, to which everyone in the security bug group will be subscribed. ...
  
  he security module owner, peers, and other members of the Mozilla security bug group will not be asked to sign formal nondisclosure agreements or other legal paperwork. However we do expect members of the group
  
  ... not to disclose security bug information to others who are not members of the Mozilla security bug group or are not otherwise involved in resolving the bug, except that if a member of the Mozilla security bug group is employed by a distributor of Mozilla-based products, then that member may share such information within that distributor, provided that this information is shared only with those who have a need to know, only to the extent they need to know, and such information is labeled and treated as the organization generally treats confidential material ...
  
  ... not to post descriptions of exploits in public forums like newsgroups, and to be careful in whom they add to the CC field of a bug (since all those CCd on a security bug potentially have access to the complete buzg report). .
  
  .. to be careful in whom they add to the CC field of a
  
  --
  Jibe!
25. Re:kind of makes you wonder by Foredecker · 2010-01-23 22:01 · Score: 1
  
  Dang - you mean that with open source you cna just patch someting and send it out with out testing it! Wow. That's AWSOME!
  
  --
  Jibe!
26. Re:kind of makes you wonder by Foredecker · 2010-01-23 22:38 · Score: 2, Insightful
  
  How about this: with a commercial software vendor - heck, lets just use Microsoft - you have a vendor that has the funds and qualified staff to fix problems quickly; Seucrity and regular bugs alike. You likely have a support contract that requires this. Things are found and fixed quickly and reliably. There are people whos job it is to respond to email and answer the telephone. Heck, they will even fly out to your site if they need to. If you are in a moderately big city there is likely support people already there.
  Ok, with Redhat someone can get the same thing, becuase they pay $800 a year for support.
  Here is another way to look at it: you suspect you have a bug in some OSS software... .Lets say its a major one like Firefox. You send the security email alias a mail (there is no phone number). Its a good group of people, but hey, they are busy and you dont have any kind of business relationship with them. No money changed hands, you have no support contract. They are under no obligationto help you at all - the license agreemetn even says so. You downloaded Firefox for free remember? You are dependant upon their largese and good repuation (and with Mozial, it is good).
  So you hope they can get around to it - they have some people you can exchange email with, and a bug you can watch. Thats groovy, but there are no solid expectations? They fix bugs and are generally reliable about getting patches out. They have a schedule and everything, but are not under any obligation to do so for you in particular. They are good honest folks so Im sure they will get to it sooner or later.
  Like I just mentioned to X0563511, I dont by the argument that "its open so anybody can look at it and fix bugs". Thats just bogus. Yes, of course its open. I saw a hilariously appropriate post on Slashdot a while back (paraphrasing):
  
  The ratio of people that comment on security problems to the people actualy qualifed to fix them is about 1000000:1.
  Its a myth that for any given open source project there are legions of devleopers with the skills, knowledge and expertise to correctly fix complex security bugs and issue a patch as you say "fixed tomorrow". Its not even a good myth. The Myth Busters wont be interested.
  All the major OSS projects have teams that own the code - just like Microsoft. They dont let just anybody fix bugs - let alone security bugs. The have bug triage and code review processes - just like Microsoft. They also have test, QA and releases processes too. Note there is at least one guy thinks security bugs in OSS code can be fixed with no QA (read this golden post...) and no, hes not being subtly humorous, just naive.
  All major OSS projects have a vetting and qualification process just like we do. For example, I can fix security bugs in code I own, but not in the Windows kernel. Even for changes in my code I get a seucrity dude to do a code review.
  Ill ask you this - how many security code reviews on other peoples code have you done? How many bugs have been fixed as a result? How many did you fix? Can you link to the bugs and change lists in a repository somwhere?
  Fixing security bugs is hard - harder than regular bugs and those can be hard. You really think that just any old developer can just dive right in and triage and fix security bugs? Really? Do you think the owning teams would let you? If so, then go read some of polices of major OSS projects, like the Mozilla pages here. "Virtually anyone" is most certainly not allowed to just dive in and fix security bugs in Firefox - hey wont let you unless you are qualifed and vetted.
  So look, I really do love open source software. The fact that it is open
  
  --
  Jibe!
27. Re:kind of makes you wonder by mikechant · 2010-01-24 02:56 · Score: 1
  
  and they have backdoors in Red Flag
  Sounds plausible, but any evidence/references? Is Red Flag following the GPL? Is there evidence that the source doesn't correspond to the distributed binaries? Anything dodgy found in the source?
28. Re:kind of makes you wonder by awyeah · 2010-01-24 12:31 · Score: 1
  
  You sure can. But at the same time, lots of other developers/power users/hackers/whatever may be willing to take the patch and provide feedback on it.
  
  --
  Why, no, I haven't meta-moderated lately. Thanks for asking!
29. Re:kind of makes you wonder by rcharbon · 2010-01-24 12:33 · Score: 1
  
  That makes no difference at all to most people. Whether or not the problem software is Open, they still have to wait for someone else to fix it.
30. Re:kind of makes you wonder by Foredecker · 2010-01-24 13:26 · Score: 1
  
  I was being a tad sarcastic. Im not now.
  When is it ever the right thing to release a security patch with no QA or testing? You use an interesting word may, as in
  
  ... lots of other developers/power users/hackers/whatever may be willing to take the patch and provide feedback on it.
  Are you suggesting to leave security QA to chance? Hoping someone will take a look at it? How are you going to make sure your patch really fixes the problem?
  -Foredecker
  
  --
  Jibe!
31. Re:kind of makes you wonder by ppanon · 2010-01-24 19:14 · Score: 1
  
  Sounds plausible, but any evidence/references? Is Red Flag following the GPL? Is there evidence that the source doesn't correspond to the distributed binaries? Anything dodgy found in the source?
  No evidence, apart from behaviour. Read the section on Nanchang Internet cafes in the wikipedia article on Red Flag Linux. Also see this article which implies it probably wasn't limited to that city and that the order came from high up. All Internet Cafes have been required to run Red Flag Linux, whether they previously had either pirated or genuine versions of Windows. Sure, you could argue that they just couldn't be sure of whether the "genuine" versions were really just very good illegal copies and were taking the easy way out. OK it could be crony communism where someone in RedFlag has good party connections, and the price required from the cafes would seem to support that. But why concentrate on Internet cafes? Precisely because that is how relatively anonymous access to the Internet can be achieved in China.
  I would be extremely surprised if their security people didn't believe in a variation on defense in depth. The Great Firewall is one layer, but if I was trying to limit the communications abilities of "dissidents", at minimum I also would be monitoring all traffic on public Internet terminals. The USA also does this to a lesser extent in libraries, for instance. However if you were responsible for security on a totalitarian state, you wouldn't rely on Internet Cafe operators to provide you with monitoring information. You would use backdoor monitoring of the systems in question, but you wouldn't have it constantly reporting since that would be detectable. You would set it up so that you could get a dump of recent activity if you wanted to follow up on specific activity (or suspected that an Internet Cafe operator was acting as a cover for "illicit" activities by feeding you false info on the monitoring reports they were supposed to give you).
  
  --
  Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
32. Re:kind of makes you wonder by Opportunist · 2010-01-24 23:16 · Score: 1
  
  Nope. It makes them hire some "external consultant", who will get a shitload of money to tell them what you told them a billion times already, they will look at it, assess the probability to happen again and file it accordingly.
  Don't think that managers learn from experience.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
33. Re:kind of makes you wonder by awyeah · 2010-01-25 07:09 · Score: 1
  
  No, not at all! Re-reading my comment, it may sound like I was suggesting that it's okay to release something without testing it - that's not what I meant.
  Don't open source people release patches to other developers for testing? I'd imagine that a lot of open source developers don't have the resources to fully QA everything themselves. That's all I was saying.
  
  --
  Why, no, I haven't meta-moderated lately. Thanks for asking!
34. Re:kind of makes you wonder by awyeah · 2010-01-25 07:13 · Score: 1
  
  My original point was that open-source teams - at least those who develop more popular products - may be able to develop, test, and deploy patches faster, because there may be a wider group of people who are willing test patches and provide feedback, and they may be able to do it without the same kind of red tape that you may encounter at a large company when there are product managers, QA teams, and paperwork involved.
  
  --
  Why, no, I haven't meta-moderated lately. Thanks for asking!
35. Re:kind of makes you wonder by X0563511 · 2010-01-25 10:06 · Score: 1
  
  Thanks for the good post. I've not looked at any of it yet, but I will. I appreciate you responding thusly and not just "freaking out" as any other slashdotter would do.
  Regarding the freeshell page - that's not really intended for anyone's use than mine. At one time or another, a link would have been added by me to serve as a bookmark I could get from anywhere.
  The slashdot comment that fired you up, was intended to be funny. I had no idea someone who actually had a clue would stumble across it. I am no coder, but I was a beta analyst for a year or so - so I do understand what you are saying.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
36. Re:kind of makes you wonder by Foredecker · 2010-01-25 15:47 · Score: 1
  
  No worries mate :)
  
  --
  Jibe!
threat? by clarkn0va · 2010-01-23 03:14 · Score: 4, Insightful

Microsoft has apparently been aware of this flaw since September.
Further evidence that the only "threat" as far as MS is concerned is the threat of a damaged public perception. Although I suppose that's an improvement in itself.

--
I am literally 3000 tokens away from the chaotic crossbow --Stephen
1. Re:threat? by hoboroadie · 2010-01-23 03:19 · Score: 1
  
  I just laugh. I haven't had to reformat the drive even once since I obscured IE.
  
  --
  They feared that it could be used to suppress protest or support unpopular rule.
2. Re:threat? by 1s44c · 2010-01-23 03:41 · Score: 5, Informative
  
  I just laugh. I haven't had to reformat the drive even once since I obscured IE.
  If you use windows without IE you are still very much at risk from the many other windows holes. You will cracked sooner or later and you may not even notice.
3. Re:threat? by Anonymous Coward · 2010-01-23 03:57 · Score: 1, Insightful
  
  OK, that's just a ridiculous statement.
  
  If you use windows without IE you are still very much at risk from the many other windows holes. You will cracked sooner or later and you may not even notice.
  How would you possibly know he will be cracked? If he doesn't click on and run malicious code he won't be "cracked". You do realize that Windows has had a firewall on by default for many years now, right? Today, the biggest source of vulnerabilities are applications. Since he has already taken Internet Explorer out of the equation by not using it, these vulnerabilities are in things like Firefox, Flash, Office, Acrobat Reader, etc. The attacks based on those vulnerabilities are not using "windows holes"; they are using problems with the applications. Simple safe computing practices insulates you against most all of them.
4. Re:threat? by v1 · 2010-01-23 03:57 · Score: 4, Insightful
  
  What's unfortunate here is there's still a lot of people out there that don't understand why some security researchers publish security bugs they find. It's issues like this where "We reported this to you FOUR MONTHS AGO and you haven't fixed it yet. We're going public with it tomorrow." Oh noes! Everyone's computer getting owned, it's all your fault, you should keep security bugs QUIET so we have time to fix them!.
  Ya, right, whatever. They don't want the researchers to keep the bugs quiet so they "have time to fix them". Clearly four months is more than enough time to fix anything important. So, just how many more of these critical security bugs are we continuing to keep under wraps until someone exploits them before getting around to fixing? The logical conclusion is the researchers should give companies like MS a flat 30 days notice, and then go public immediately after that. At least we'd be getting the bugs patched 35 days after discovery, instead of 130 days. Either way, the amount of exposure we experience is the same, they're going to drag their feet until someone lights a fire under them. The only one this "irresponsible disclosure" hurts is the publisher. In the end, it helps the users, because the publishers now have a concrete deadline to avoid losing face, rather than "lets hope no one else discovers this before spring".
  We don't need them gambling with our security, and that's exactly what they're pushing with their cries for "responsible disclosure".
  
  --
  I work for the Department of Redundancy Department.
5. Re:threat? by 1s44c · 2010-01-23 04:33 · Score: 2, Interesting
  
  So you are saying that any windows machine that doesn't run IE is safe-ish? Because it's not, there are countless flaws in other Microsoft code any one of which could cause a major security problem. If you don't start with a good design you have NOTHING.
  You don't really trust a software firewall written by Microsoft do you? If you want a firewall use a proper ( i.e. not software ) one.
6. Re:threat? by Kozz · 2010-01-23 04:45 · Score: 3, Insightful
  
  If you use windows without IE you are still very much at risk from the many other windows holes. You will cracked sooner or later and you may not even notice.
  Even more disturbing, some people may notice and not think much of it. What is the most obvious evidence you can imagine of being 0wned? I talked to a guy once who was telling me of PC troubles (he knew I was a "techie" guy) and said he occasionally would notice the mouse would move, click, etc without his input. I quickly asked him if he did any kind of commerce, banking, online bill-paying stuff, and he said "yes". I told him to go home and unplug his modem/cat5/whatever and to format the computer asap.
  It wasn't clear what exactly he thought the problem was, but I recall thinking he was surprised when I told him that there was a person on the other end of the wire moving the mouse, using his PC for who-knows-what. And even then he didn't seem to have a sense of urgency about fixing it. You can't fix stupid, as they say.
  
  --
  I only post comments when someone on the internet is wrong.
7. Re:threat? by Antique+Geekmeister · 2010-01-23 04:55 · Score: 1
  
  Not to defend Microsoft's consistent failure to address security issues, but 4 months is not an unusual release time for a non-critical bug. It needs to be tested, it needs to be reviewed if it changes or breaks any other tools that rely on a sloppy API or tricky "feature", and it needs to pass regression testing. When you're running core servers, worldwide, and stand to lose millions of dollars if you accidentally break something critical, you'd better test it well. And for we who install patches, we expect official vendor patches to _not break other things_.
  The risk of breaking things with an untested patch has to be measured against the risk of leaving the vulnerability open: this is why so many server-class systems out there have _no_ scheduled updates, and rely on "we trust the people we work with" to protect their internal services, and will never _get_ this recently published patch.
8. Re:threat? by Phroggy · 2010-01-23 05:03 · Score: 1
  
  Microsoft's reasoning is this:
  Most security flaws are found by white-hats, who report the flaw to the vendor and keep their mouth shut until the vendor releases a patch - and even then, the details of exactly how to exploit it are usually not disclosed right away. However, as soon as the patch is released, the black-hats (who had previously been unaware that the flaw existed) now begin analyzing the patch itself, to see what it changes - and they soon figure out how to exploit the flaw in unpatched systems.
  If Microsoft releases patches immediately as soon as the patches are available, the black-hats will begin working on them immediately and will have an exploit soon. But although individual consumers might have automatic updates enabled, corporate IT departments prefer to test things before deployment, and this is much easier to do when patches are released on a schedule - for example, if all patches are always released on the second Tuesday of the month, then an IT department can plan to begin testing new patches on that day, push out updates to workstations Wednesday night, and schedule downtime to update production servers Friday night. If they work this into their schedule, patches will get deployed quickly, and with any luck, the black-hats won't hit them with an exploit within those few days.
  But if patches are released whenever they become available, IT departments can't prepare for them, and are more likely to put them off until it's convenient. Maybe that'll be a couple of weeks - but maybe it'll be a couple of months, because there is no coherent plan for deploying updates at all. This gives the black-hats plenty of time to weaponize the exploit, and script kiddies to start using it.
  So, if you assume that in most cases the black-hats don't find bugs before the patch is released, Microsoft's strategy is actually good. The danger, of course, is that if the black-hats discover the flaws before a patch has been made available, and are quietly exploiting them without drawing attention to themselves, then Microsoft's strategy is bad.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
9. Re:threat? by ozmanjusri · 2010-01-23 05:24 · Score: 2, Insightful
  
  How would you possibly know he will be cracked?
  80% of home Windows computers have been compromised by one or more viruses.
  IE market share is below 40%
  You do the math.
  Interestingly, even though most of those apps you mentioned as sources of vulnerabilities exist on other platforms, the rates of infection of anything other than Windows remains at zero or close to it. I'd say that points to a platform problem, not an application one.
  
  --
  "I've got more toys than Teruhisa Kitahara."
10. Re:threat? by AmberBlackCat · 2010-01-23 06:21 · Score: 1
  
  If you use Linux, you are very much at risk from the many holes. You will be cracked sooner or later and you may not even notice.
11. Re:threat? by jesset77 · 2010-01-23 06:24 · Score: 1
  
  It needs to be tested, it needs to be reviewed if it changes or breaks any other tools that rely on a sloppy API or tricky "feature", and it needs to pass regression testing. When you're running core servers, worldwide, and stand to lose millions of dollars if you accidentally break something critical, you'd better test it well.
  This entire line of reasoning is merely another call for open source software. Browser makers should not be in a position where they are somehow personally responsible for complex, demonstrably unstable business installations. If the code is open, then the business clients who stack complicated houses of cards on the software (be it browser, OS, or wherever) can take their own responsibility for their non-standard decisions, and the software vendors can focus on meeting generic standards and keeping security up to date for everyone.
  Luckily, we don't have to expend any effort in this fight. The market will clean the mess up for us nicely. :)
  
  --
  People willing to trade their freedom of expression for temporary entertainment deserve neither and will lose both.
12. Re:threat? by Zero__Kelvin · 2010-01-23 06:28 · Score: 1
  
  "I just laugh. I haven't had to reformat the drive even once since I obscured IE."
  Ironically your malware is clearly now, like your IE, better hidden.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
13. Re:threat? by Anonymous Coward · 2010-01-23 06:34 · Score: 1, Insightful
  
  You will cracked sooner or later and you may not even notice.
  And how is the average user going to notice they got rooted on Linux? Nice try at FUD though. Wouldn't expect anything but the best anti-ms hate around here..
14. Re:threat? by Zero__Kelvin · 2010-01-23 06:35 · Score: 1
  
  "Not to defend Microsoft's consistent failure to address security issues, but 4 months is not an unusual release time for a non-critical bug."
  Great point! What could be less critical than a bug that lets the Chinese own your data!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
15. Re:threat? by nmb3000 · 2010-01-23 08:09 · Score: 4, Informative
  
  IE market share is below 40%
  Anyone who uses w3schools's browser stats as a reference for general browser usage needs to get knocked on the head a few times. That is a perfect example of biased results due to the nature of the sample.
  A better number is about 62%.
  
  --
  "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
  /)
16. Re:threat? by Antique+Geekmeister · 2010-01-23 09:08 · Score: 1
  
  You've got it backwards. What is _more_ critical? A bug that prevents Microsoft from booting on new OEM systems? A bug that fails to reset IE as your default web browser? A bug that breaks the MS update tools and blocks other updates? A bug that causes 2003 servers to crash on Jan 1., 2010?
  I don't know the full set of bugs recently patched, but a fast look at Windows Update shows a whole stack of "Windows Defender" updates, and other security updates, that were doubtless already in the queue.
17. Re:threat? by Zero__Kelvin · 2010-01-23 10:44 · Score: 1
  
  I don't think you read what I wrote. Either that or you took me seriously. Obviously the first two and the last you listed should not have been fixed at all in the interest of security for the whole internet. The one about breaking updates should have had the same priority as the IE6 bug, to wit: must be fixed. now.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
18. Re:threat? by Antique+Geekmeister · 2010-01-23 12:15 · Score: 1
  
  I read what you wrote. I took you seriously. The IE vulnerability was fairly minor at the time Microsoft was notified, as I understand the timeline: there were far more active and dangerous vulnerabilities already in the pipeline. Compared to the plethora of _other_ IE flaws, it was understandably dealt with at a low priority level.
  This one has merely gotten more attention due to the Chinese/Google situation, but make no mistake, it's not that big a deal compared to the other huge security flaws going on. If such dangerous flaws were taken seriously, for an open source xample, Subversion would have stopped automatically storing your SSH, HTTPS, and HTTP passwords in cleartext years ago.
This clearly needs 10 more stories by abigsmurf · 2010-01-23 03:18 · Score: 1, Flamebait

This has been covered ad nauseum here. Do we really need an update every 10 hours? A bug was exploited, it is now patched. Anyone who falls victim to it now deserves to do.

No doubt there'll be more stories about this. Was the patch larger than it needed to be? Does the patch break applications (it already breaks ones that exploited! It must break more!). Is Microsoft's failure to patch speedily yet another indication that Obama's administration is failing to meet its promises?

Stay tuned as Slashdot milks this story for another week!
1. Re:This clearly needs 10 more stories by Arancaytar · 2010-01-23 03:32 · Score: 1
  
  Is Microsoft's failure to patch speedily yet another indication that Obama's administration is failing to meet its promises?
  
  Absolutely! :-P
2. Re:This clearly needs 10 more stories by 1s44c · 2010-01-23 03:43 · Score: 3, Insightful
  
  This has been covered ad nauseum here. Do we really need an update every 10 hours? A bug was exploited, it is now patched. Anyone who falls victim to it now deserves to do.
  Thats not entirely fair. It's not practical for many people to update all systems within a day or two. Most organizations don't move that fast.
3. Re:This clearly needs 10 more stories by 1s44c · 2010-01-23 03:51 · Score: 2, Insightful
  
  This has been covered ad nauseum here. Do we really need an update every 10 hours?
  Yes. Micro$oft bad!
  Well, they are.
  
  A bug was exploited, it is now patched. Anyone who falls victim to it now deserves to do.
  Windows users dumb.
  That doesn't follow. Fooled because they don't know better or don't get the choice maybe, but dumb isn't the right word.
  
  Stay tuned as Slashdot milks this story for another week!
  Stories like this are raw meat for the Linux Hammer Legion members.
  Stories like this clearly show Microsoft for what they are - A company that doesn't care about the online safety of their customers data. They are a monopoly with the normal monopoly mentality that customers are there to serve them.
4. Re:This clearly needs 10 more stories by Anonymous Coward · 2010-01-23 04:18 · Score: 1, Insightful
  
  "Anyone who falls victim to it now" is a typical Microsoft client. The IE security flaw in Windows has been arguably patched for years already anyway -- it's called Firefox.
  Right now we're in NASCAR effect - this is the slowmo replay of the latest pileup that has included major governments saying stop using the browser. You think it stopped being notable after the original tire blew? Rub a lamp. There's at least a full week's worth of commentary about the individual cars wrapping into balls on the guardrail now.
  Which is great. MS's crap approach to security needs broader, louder coverage. Clearly it hasn't been loud enough yet.
5. Re:This clearly needs 10 more stories by the+eric+conspiracy · 2010-01-23 04:32 · Score: 2, Insightful
  
  The problem is that M$ gets the timeline wrong so often. It should be:
  1. Find bug
  2. Patch bug
  Not:
  1. Find bug
  2. Ignore bug for n months
  3. News released about exploit
  compromising customers installations
  causing international incident.
  4. Release self serving announcement
  that other systems are not affected
  5. More exploits appear
  affecting larger numbers of customers
  6. Patch bug
  Until this irresponsible behavior stops there should ba a lot more stories. These guys need to have the light shown on their absurd practices as brightly as possible.
6. Re:This clearly needs 10 more stories by abigsmurf · 2010-01-23 04:56 · Score: 1
  
  Yeah, an exploit for firefox couldn't possibly be made public before a bug is patched patched. Adding to that, if a bug is exploited in Firefox it is far easier for it to do more damage than in IE8 due to lack of sandboxing and protected memory.
  
  This current exploit doesn't even work if people had IE8 with default settings.
7. Re:This clearly needs 10 more stories by the+eric+conspiracy · 2010-01-23 06:34 · Score: 1
  
  Stop trying to change the subject. This issue is about a bug in IE 6 which DOES NOT run in a sandbox. See #4 in the grandparent post. In addition it is normally run on systems where the user is forced to run in administrative mode due to other stupid MS practices.
  Finally the icing on the cake is that many people are forced to use IE 6 because they must use applications that are written to MS's prior non-standard ideas of how HTML should be interpreted.
  It is a lose-lose-lose-lose scenario that MS forced upon its users through shoddy engineering practices at every step of a long and winding path.
  Not only that - the bug exists in IE 7, and there is speculation that despite the sandbox it is exploitable because Vista does not turn on DEP by default.
8. Re:This clearly needs 10 more stories by abigsmurf · 2010-01-23 06:49 · Score: 1
  
  IE6 is 10 years old, obsolete and MS have been pushing for people to upgrade for a long time now. Microsoft's support of legacy products a lot better than most companies (including OSS ones). How many flaws are there in Phoenix/firebird?
  
  As of yet there is no exploit that will work with a default install of IE7+ and there probably never will be now as it would be a waste of time.
9. Re:This clearly needs 10 more stories by the+eric+conspiracy · 2010-01-23 09:19 · Score: 1
  
  IE 6 was first sold 8 years ago, not 10. And since when is an obsolete legacy system something that you can go out and buy off the shelf for installation in new systems? According to Wikipedia IE 6 is the most used IE version, likely mostly due to the unpopularity of Vista and the long and tortured development cycle for that product.
  As far as Pheonix and Firebird, sure they have flaws, however use share is less than 1%, completely unlike the 20+% of IE 6.
  Of course MS is encouraging people to upgrade. However plenty of people don't have that option because of functional requirements and corporate IT policies.
10. Re:This clearly needs 10 more stories by gabba_gabba_hey · 2010-01-23 12:18 · Score: 1
  
  In the article you linked to about the firefox exploit they state:
  Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
  So this exploit did not lead to the system being compromised and your comparison is dishonest at best.
Exactly how does it work. by Murdoch5 · 2010-01-23 03:23 · Score: 1, Interesting

What protocol is used to search the system? sure the attacker can get in but once inside just how much access do they have.

Do they get returned an FTP / HTTP view of the computer folder by folder. Do you get kicked into a telnet terminal / ssh terminal maybe even a NFS terminal.

Correct me if I'm wrong (but I do have a CCNA cert) Why not block the access ports that get opened, unless it's port 80 and then filter the traffic.

Yes it's microsofts problem to roll out a patch and fix the bug but it seems like theres a lot that the user could do before the patch is ready.
1. Re:Exactly how does it work. by Arancaytar · 2010-01-23 03:31 · Score: 5, Informative
  
  Once Windows is compromised (by a sophisticated worm, not something that places advertisements in IE), there is very little a user can do that the worm cannot prevent or bypass.
  The Windows settings assistant may nod and smile, and say the port is closed, while the worm is using it in the background. You might see that if you look at the router's logs, but inside Windows the worm can control what you see or do.
2. Re:Exactly how does it work. by jesset77 · 2010-01-23 06:35 · Score: 2, Interesting
  
  Correct me if I'm wrong (but I do have a CCNA cert) Why not block the access ports that get opened, unless it's port 80 and then filter the traffic.
  Ah, CCNA. ;D
  Most users, if they have a router at all, have a SOHO router with minimal firewalling ability, just NAT/PAT.
  The simplest worm I could think of that would drink your milkshake would just dial home via SSL port 443. Client-initiated connection, redialed as needed: what on earth could your fancy firewall do about that? :3
  Moral of story: Don't get rooted. :(
  
  --
  People willing to trade their freedom of expression for temporary entertainment deserve neither and will lose both.
3. Re:Exactly how does it work. by Zero__Kelvin · 2010-01-23 06:37 · Score: 3, Funny
  
  "Correct me if I'm wrong (but I do have a CCNA cert)"
  That's just plain wrong
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
4. Re:Exactly how does it work. by ekhben · 2010-01-24 12:42 · Score: 1
  
  IP-over-DNS, or IP-over-ICMP. Your router shouldn't be blocking port 53 *to your ISP's resolver*. Your router probably won't block ICMP. If you run a VLAN, you'll still want to do DNS, and at that point IP-over-DNS can provide a tunnel for an attacker into your "protected" network.
  Virus kits mean that complex tricks become commonplace. It's common for a virus to go stealth now, because there's library code to root a machine. It's common for viruses to use a suite of anti-anti-virus tools, because there's library code for that. I doubt anyone's doing IP-over-DNS or other advanced external firewall circumvention techniques, but if anti-virus vendors ever get it into their heads that they could sell black boxes to sit between PC and intarwebs, offering SPI firewall scanning, it will happen.
  Come to think of it, a black box virus firewall would be a product worth buying, if done even slightly right. It could alert on high outgoing mail volume, it could fetch a daily list of evil IPs to block and alert on, it could run a self-checking firmware OS to protect itself against tampering, and it could inspect packets for known virus message signatures. And it wouldn't bring your PC to its knees!
  Then again, the half-assed work that anti-virus vendors do would probably drop packets all over the floor if your network speed exceeded 56.6k/sec.
I wonder if responsibility is ever assigned by erroneus · 2010-01-23 03:55 · Score: 1, Interesting

So someone or a project team writes some code. The code is later found to be used as part of an exploit that further harms the reputation of the company. Does anyone ever go back and say "hey, you wrote this crappy code! You're fired!"?
It almost seems there are more vulnerabilities (both patched and unpatched) than there are lines in the Windows source code. I know there will be no end to the finger pointing where developers decry the problem of deadlines while management points to the lack of skilled coders. But seriously, how much of all this can be attributed to poor programming practices? I remember from the earliest days of coding C that there were a few functions that existed that wise programmers should avoid as the use of those functions would immediately make your programs vulnerable. Further, it seems that bounds checking and other data validation needs to go on more often as well. How is it that the top dog in the software game can't keep up with these very simple principles?
And what of public disclosure? Some people try to say that public disclosure is what is responsible for most of the hacking that goes on out there. Meanwhile, this was essentially a -1 day vulnerability that didn't get disclosed until after the damage was done... or was it? Was this yet another of the reported bugs that Microsoft sits on rather than acts on? While following the bugtraq and other mailing lists, I observe that Microsoft tends to ignore or disregard a great many of the bugs reported to it, so I have to wonder.
1. Re:I wonder if responsibility is ever assigned by Anonymous Coward · 2010-01-23 05:19 · Score: 1, Insightful
  
  How is it that the top dog in the software game can't keep up with these very simple principles ?
  Why should they ? They have a monopoly on the desktop, and unless it affects their profit line, there is no reason for them to fix anything.
A US-based, free e-mail service by Stephan202 · 2010-01-23 03:59 · Score: 3, Insightful

[...] the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name.
Hotmail, perhaps? No?
1. Re:A US-based, free e-mail service by Isao · 2010-01-23 04:11 · Score: 1
  
  Juno.
2. Re:A US-based, free e-mail service by kaptink · 2010-01-23 04:16 · Score: 1
  
  Wouldn't the obvious thing to do is shut the email account down and watch for people trying to log into it?
  
  --
  Those who can, do. Those who cannot, sue.
3. Re:A US-based, free e-mail service by Anonymous Coward · 2010-01-23 04:49 · Score: 1, Funny
  
  Juno
  No I don't. Juno who might?
4. Re:A US-based, free e-mail service by Zero__Kelvin · 2010-01-23 07:06 · Score: 2, Insightful
  
  "Wouldn't the obvious thing to do is shut the email account down and watch for people trying to log into it?"
  That would certainly trace them all the way to the anonymous proxy in a country with laws that don't require them to give up the logs.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
5. Re:A US-based, free e-mail service by isorox · 2010-01-24 20:40 · Score: 1
  
  Hotmail, perhaps? No?
  I assumed that, but gmail may be more appropiate, given the nature of the first exploit to hit the news
Update your Acrobat Reader. by Old+Flatulent+1 · 2010-01-23 04:14 · Score: 3, Interesting

There was a similar hole in the way Acrobat Reader prior to 9.2 handled xml multimedia calls. And there were resent releases of updates for Shockwave Flash.
It is rather telling that the same type of buffer trouble is showing up in other peoples software. I am just wondering if the flood "Gates" are about to open and we will wind up seeing multiple trouble with things like WMP, Silverlight ...there was already the same update happening for RealPlayer
Just maybe there is a system xml call that is easily exploited in all versions of Windows....I can just see it now some lazy MS exec using old legacy system xml that is written using the gets and puts function. I would not put it past Microsoft to use old garbage code without even checking the old source then including the pre-compiled executable
1. Re:Update your Acrobat Reader. by Antique+Geekmeister · 2010-01-23 04:56 · Score: 3, Insightful
  
  Maybe, just maybe, they should throw out most XML use. It's expandability and flexibility have caused repeated security and performance issues, and it's being used consistently instead of far simpler and more robust configuration technologies.
2. Re:Update your Acrobat Reader. by Anonymous Coward · 2010-01-23 06:47 · Score: 1, Insightful
  
  Yeah, using XML has been a total plague... Apple uses it everywhere in OS X, and I'm sure we all remember the endless number of exploits endured by the poor bastards who use Macs since OS X shipped in 2001.
  Oh, wait... there haven't been any exploits on OS X.
  There must be something else at work here... like Apple employing more competent people to write code than Microsoft and Adobe.
And do I care? by bradbury · 2010-01-23 05:38 · Score: 1

Cough, no, because I am running a Linux system with a variety of browsers (epiphany, galeon, Firefox, Chromium) and I simply do not run MS software (and to read the ongoing saga, lucky me), why does /. even bother to track these items? We know the MS users are brain-dead (they hover under a belief that the software doesn't have bugs or is secure and that will protect them -- how wrong they are.).
I have no misconceptions that Linux based software is any more secure -- but I rest in confidence that epiphany, galeon, Firefox and Chromium are *all* open source -- and if there is a security problem within them I can update and take advantage of it within hours -- not months as Microsoft seems inclined to do.
Using closed source software is akin to laying oneself out on the Washington Mall and saying, hey "rape me". Its not so bad "I'll recover".
1. Re:And do I care? by Zero__Kelvin · 2010-01-23 07:08 · Score: 1
  
  "why does /. even bother to track these items?"
  You do realize that you read the story and then went on to post in it, right?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Time to Bury IE by BoRegardless · 2010-01-23 05:40 · Score: 1

For God's sake and all of our digital information, it is time for a revolution.
IE has failed so many times with so many bad consequences it is time to simply outlaw the use of IE.
How many car crashes due to any number of causes before they yank ALL those car models and force the manufacturer to replace the brakes.
Get rid of MS Internet Explorer, once & for ALL. If Microsoft were an honest company they would have stopped IE and started including FireFox a long time ago. At least then, everyone can examine code and offer patches.
(i.e. not software) by tepples · 2010-01-23 05:44 · Score: 1

What useful firewall are you referring to that isn't implemented in software? Or by "(i.e. not software)" were you referring to anything implemented on an appliance?
1. Re:(i.e. not software) by 1s44c · 2010-01-23 05:50 · Score: 1
  
  What useful firewall are you referring to that isn't implemented in software? Or by "(i.e. not software)" were you referring to anything implemented on an appliance?
  Ok, they are all implemented in software on some device or other. I was using the naive definition of a 'software firewall' which I take to mean one running on the user system it's meant to protect.
  A better firewall would be one running on a device between the two user system and the internet like a Cisco device or a OpenBSD or Linux machine.
2. Re:(i.e. not software) by lukas84 · 2010-01-23 08:42 · Score: 1
  
  The question is what you're expecting a firewall to do.
  What the Windows Firewall does by default (in a Public network) is prevent any incoming traffic to open TCP or UDP ports. This works very well and there are few edge cases where a separately hosted Firewall would provide a significant advantage.
  What it does not do is prevent any kind of outgoing traffic - you can configure this through policies in a corporate network, to prevent unapproved applications from accessing the network (which also works well), but this can't work on a home computer where the users have local admin rights, as a malicious app can just add the required firewall rules. A separately hosted Firewall doesn't work any better - it can't tell if the SSL Traffic on Port 443 is coming from IE or a malicious application.
3. Re:(i.e. not software) by dbIII · 2010-01-23 14:23 · Score: 1
  
  The question is what you're expecting a firewall to do.
  I think he's expecting it to be on a device other than the one easily compromised. One bit of malware placed on there by the user and the software firewall is completely pointless. Something in between the problem machine and the net at least stops you from spamming the world. In most large corporate environments you will always get somebody that thinks it's a good idea to put something that contains malware on a machine. It's always better to assume the Microsoft firewall is not there, because in the cases where it is needed it will not be there.
  You can go for massive amounts of lockdown and glue in the USB ports but then generally renders machines useless for some work purposes and pisses off everyone with an iPod. It's better just to put the MS machines under adult supervision of something else and be ready to re-image machines.
  Your other point about things still coming in through safe ports still applies but most malware doesn't work that way yet.
Just wait until Linux becomes popular! by Zero__Kelvin · 2010-01-23 06:32 · Score: 1

No, No! Haven't you heard? Even though Linux owns the server market and is used by many big corporations including Google, Windows has almost all of the malware because it is more popular!

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
1. Re:Just wait until Linux becomes popular! by lukas84 · 2010-01-23 08:47 · Score: 2, Interesting
  
  I've seen many compromised Linux machines sending out spam. Especially prevalent in Germany, where 1&1 and similar mass hosters provide hosted very cheap rental of Linux servers.
  Of course, the issues are the same as those of compromised Windows systems:
  * Not up to date on security patches
  * Admin doesn't know what he's doing
  * Using insecure legacy versions of software
Re:Time to bury Firefox by baka_toroi · 2010-01-23 07:02 · Score: 2, Informative

Thanks for showing me fixed vulnerabilites!
Stuff works optimally with IE6! by Zero__Kelvin · 2010-01-23 07:12 · Score: 1

"Get rid of MS Internet Explorer, once & for ALL."
But the intertubes will cease to function properly. Are you trying to starve children in Massachussets? Don't you know that lots of out of work website designers need to use a website that works optimally with IE version 6??!!!

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
MSFT has no reasonable excuses by Anonymous Coward · 2010-01-23 07:33 · Score: 1, Interesting

3 billion dollars in profit a quarter. Just think about that. That is 120k software developers paid 100k a year. That's how many more people they could have fixing any bug you have. It may be unreasonable to ask a public company to not make a profit, but it is quite reasonable, that, even with the mythical man month, they could hire 5k more developers and testers and fix this BS. This was the size of the Windows 2000 team, when I was there that year.
I knew IE 6 was going to be bad though - people from the QA team came to me and asked if managers in other teams tell you to stop entering bugs because it makes the dev team look bad. Seriously. Trident was even worse.
Bundling by zogger · 2010-01-23 08:00 · Score: 1

Why is bundling multiple changes/patches better? Seems like if you did it one at a time, if something broke, you would be pretty confident the new code was doing it. With multiple simultaneous changes, if something broke, you would have to sort out *which* of the new changes was responsible first, or also contemplate if the random combination of any of the changes was responsible, which greatly ups the number of potential problems to look at.
1. Re:Bundling by bloodhawk · 2010-01-23 11:17 · Score: 1
  
  Because the largest part of time in the majority of patches is not development, but the testing of it. a patch that took a dev 5 minutes to write might take 2 or 3 days to run the full set of tests against depending on where and how critical the patch is, hence buddling more patches can reduce total time. MS is huge with a massive amount of reliant 1 st party and 3rd party software, I would bet it probably takes a good week for a full set of regression and break tests even if the patch is simple.
2. Re:Bundling by mce · 2010-01-23 11:26 · Score: 1
  
  Because some problems interact. For instance because they affect the same code modules and fixing them one by one would actually be require more work overall - possibly involving additional throwaway temporary work. This could even delay getting them both fixed compared to fixing them in one go.
  
  --
  Linux user since early January 1992.
Can someone please post an URL... by ArsenneLupin · 2010-01-23 10:28 · Score: 1

... I am currently in a Sauna, who refuse to put anything but Internet Exploder on their PCs....
Claim EPIC FAIL by Zero__Kelvin · 2010-01-23 10:39 · Score: 1

"Of course, the issues are the same as those of compromised Windows systems:
You forgot to list one: designed from the ground up with insecurity in mind

Oh wait. That's right. Only one of the OSes mentioned meets that criterea.

"I've seen many compromised Linux machines sending out spam.
You have offered no evidence that a Linux machine was compromised. It is impossible to tell based on the fact that SPAM is coming from that direction. A poorly configured mail server allowing SMTP relaying does not constitute a compromised system.

--
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:Someone is talking about you, is it truth? by Foredecker · 2010-01-23 12:49 · Score: 1

Well, APK is a bit rambling. But he did ask me an interesting question and yes, I'm going to get him some kind of answer. I'm not sure it will be the answer he is looking for though. I'll know more in a couple of weeks.

--
Jibe!
Re:Foredecker, let me "lay it on the table" for yo by Foredecker · 2010-01-23 13:05 · Score: 1

Don't worry :)

--
Jibe!