Slashdot Mirror
Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites
SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8.
... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"
Lousy programming from Microsoft, who could have known?
Just lost their job... The same idiot that insisted in "lets make all our content only available through IE"...
Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
How about Global ThermoNuclear War..
If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?
lets Blame the Chinese.
It would could far less than incident analysis and cleanup to provide dedicated machines for external web use. Companies and agencies that tollerate occasional surfing should have machines that do not share the internal network.
We need to make a petition at change.org! Oh, I guess we only do that for Oracle.
It's still there.
"Nationalism is an infantile sickness. It is the measles of the human race." -Albert Einstein
"Nobody ever got fired for picking Microsoft." The time is ripe for that being overturned.
a big European company operating in the aerospace, defense, and security industries
Or EADS for short. I mean, "a" ??? Is there any other ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
While it seems to have died out a bit (and Oracle certainly showed little concern), there were cries from some people to remove Java from everyone's computer because of the (legitimate) exploits in applets. Am I missing something, or shouldn't the same people be calling on everyone to remove I.E. from their computers, given Microsoft's record with browser exploits?
By you and me maybe.
I used to see Internet Explorer as the devil, so full of holes it would result in your Windows box needing a reinstall every couple months.
I was aggressively advocating switching from IE around the apex of this curve, and overjoyed as it plummeted.
Are my prior impression about IE being buggy and dangerous still valid? Has IE cleaned up any? I get the impression it has.
And I was pushing folks to use Firefox as the alternative. How does Firefox compare to IE now? I get the impression IE is still a bad choice for a number of reasons, but also that Firefox is itself playing a game of clean-up after bloat issues.
Basically, at this point I'll push folks to use any browser that's not dominant. Get it? Fragmented influence in browser protocols means we get standards and standards compliance instead of the nightmare incompatibilities from intentional protocol "extending" and corrupting that MS and NS were pushing in their bids for complete control.
Makes me want to go back to the 2003 Slashdot posts to identify the IE advocates so I can publicly shame them now.
Check your connection? That link works.
DC's top news station, WTOP, is now blocking access to IE browsers after a similar compromise: http://wtop.com/41/3313012/WTOP-vicitim-of-malicious-cyber-attack
You do know that IE can not be removed from Windows right? You do know MS was in big trouble with governments over it's bundling of IE and its LIES in court about it being impossible for them to remove?
Well, then you probably don't know about how Bush appointed MS to oversee it's own punishment after losing the court case... and that is why the problem continues unresolved...
Democracy Now! - uncensored, anti-establishment news
No, how about global thermonuclear war. How about Microsoft pushes updates for Internet Explorer to XP?
Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy.
So in addition to the 0-day exploit found in IE, what was exploited to put malicious links on the web site?
This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)
If you're still using internet explorer 8, you deserve this. Microsoft is almost on IE11 at this point (looks like firefox). If it shipped with Vista, why are you still using it and thinking you're safe? While you're at it, why not use Windows XP and avoid security updates as well... If you don't like 8, install 7. If your programs aren't compatible with anything later than XP... well... those will have security that's so outdated you might as well just consider the entire system a liability and get insurance for the lawsuits.
The system administration there must be really lousy.
Normally you won't be affected by browser bugs like this.
Because your users work as an unprivileged user, not an admin.
Because you have a group policy that forbids execution of software from locations where users can write to.
Because you have a proxy or firewall that forbids users downloading software.
Because your network layout is such that compromised systems cannot connect to C&C servers.
etc.
There should be multiple layers of defense in such a system and network, and apparently there isn't.
Simply don't use "raw" C and C++ to create programs which face input from untrusted sources. The mentioned exploit is one of the typical memory management bugs (use after free()/delete).
Here is a compiler which will emit memory-safe C++:
http://sourceforge.net/projects/sappeurcompiler/
The Sappeur language retains almost all C++ efficiency features, such as
+ Stack Allocation of almost all kinds of objects/basic types
+ Object Aggregation (Instance of type A contains instance of type B without any pointers/references needed)
+ Arrays of complex Objects as opposed to arrays of references
+ Synchronous Destructors called when YOU want them to be called, not when the runtime decides to do that
+ very lean, small programs possible. Start up, process, terminate in a few milliseconds (like the little Unix tools)
+ shared (but safe) access to thread-shared data structures possible
+ Reference-counted pointers which will synchronously call the destructor when refcount reaches zero
And yeah, it's not a silver bullet to all security issues, but it will eliminate at least 50% of exploitable bugs in a typical software project, where you can't inspect code forever and where someone will demand a release in a short timespan.
Don't fucking put your goddamn motherfucking top secret nuclear research facilities on the goddamn motherfucking Internet.
Jesus fuck?
Here I was hoping you were the real one. I'd rather have him around again instead of all these stupid APK troll posts.
You're completely incorrect about consumer behavior and market regulation, and your example of Nader is a fabulous example.
The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. It's also responsible for increased pedestrian and cyclist fatalities (known as early as Pelzman's 1975 study) and may even make drivers less safe.
48 years after his book, despite all the tremendous advances in engineering and materials science, instead of the average vehicle on US roads being sub-1000 lbs and getting 200MPG (very feasible to do considerably better than this for 1-2 passenger cars, c.f. the decade-old VW 1L prototype), the average vehicle is >4000 lb and gets worse than 20MPG, little better than in 1965.
The reason is a curb weight arms race caused by our absurd safety standards. The main way to meet crash test standards when faced with heavy vehicles is to increase your vehicle's weight.
Passenger collision safety involves tradeoffs- among other things, tradeoffs with performance, efficiency, cost, and the safety of others on the road. Nader refused to recognize these tradeoffs. Our current safety laws ignore these tradeoffs, and even if they took them into account, overriding consumers' preferences regarding these tradeoffs will lead to inefficient market outcomes.
If someone wants to purchase a more efficient, less expensive vehicle, the government shouldn't stop them just because it does slightly less well in collision tests. Consumers are perfectly capable of rationally choosing how much they're willing to trade guarantees of their own safety for other desiderata and vice versa.
Regulating externalities, on the other hand, is often OK. Vehicle safety requirements should be based ONLY on the damage caused in collisions to other road users (other drivers, pedestrians, cyclists) and their property. Heavier vehicles perform WORSE in such tests; we might consider having a weight-based Pigovian vehicle tax to offset the safety and pollution externalities for those heavier cars we're still willing to allow on the roads.
Providing consumers with more information is a good idea. I'm fine with performing tests and requiring companies to provide prospective buyers with that information. But requiring disclosure without regulating/prohibiting the sale of the product still allows for what I think most would call a "truly free market."
If using MS's software may brick your neighbor's PC, go ahead and hold MS to the fire. If using MS's software may brick your own computer, require testing and a warning label. But the kind of guarantees the OP seems to want to require would override consumer preferences in a way that would cripple the software industry.
You know what else keeps fuel efficiency low? Big engines. Consumers have demanded them instead of efficient vehicles in part because we make driving artificially cheap by subsidizing road construction with more funds than we take in from gas taxes. Consumers are typically horrible at acting rationally in their own self interest and are far more likely to act on emotion and misinformation, although I don't think the government should necessarily take the nanny role in those situations.
Here I was hoping you were the real one. I'd rather have him around again instead of all these stupid APK troll posts.
The best is the time when the two of them managed to troll each other.
Jesus was all right but his disciples were thick and ordinary. -John Lennon