Slashdot Mirror
Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites
SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8.
... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"
Just lost their job... The same idiot that insisted in "lets make all our content only available through IE"...
Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
How about Global ThermoNuclear War..
If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?
It would could far less than incident analysis and cleanup to provide dedicated machines for external web use. Companies and agencies that tollerate occasional surfing should have machines that do not share the internal network.
We need to make a petition at change.org! Oh, I guess we only do that for Oracle.
Yea, the doctor could have known.
It's still there.
"Nationalism is an infantile sickness. It is the measles of the human race." -Albert Einstein
"Nobody ever got fired for picking Microsoft." The time is ripe for that being overturned.
a big European company operating in the aerospace, defense, and security industries
Or EADS for short. I mean, "a" ??? Is there any other ?
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
While it seems to have died out a bit (and Oracle certainly showed little concern), there were cries from some people to remove Java from everyone's computer because of the (legitimate) exploits in applets. Am I missing something, or shouldn't the same people be calling on everyone to remove I.E. from their computers, given Microsoft's record with browser exploits?
You know, it really helps a debate when every single point you make is followed by telling the readers they're idiots. It just drives home the fact that a smarter person wouldn't be reading your post.
Here's some documentation on why it's bad.
The Black Book of Communism
I used to see Internet Explorer as the devil, so full of holes it would result in your Windows box needing a reinstall every couple months.
I was aggressively advocating switching from IE around the apex of this curve, and overjoyed as it plummeted.
Are my prior impression about IE being buggy and dangerous still valid? Has IE cleaned up any? I get the impression it has.
And I was pushing folks to use Firefox as the alternative. How does Firefox compare to IE now? I get the impression IE is still a bad choice for a number of reasons, but also that Firefox is itself playing a game of clean-up after bloat issues.
Basically, at this point I'll push folks to use any browser that's not dominant. Get it? Fragmented influence in browser protocols means we get standards and standards compliance instead of the nightmare incompatibilities from intentional protocol "extending" and corrupting that MS and NS were pushing in their bids for complete control.
Makes me want to go back to the 2003 Slashdot posts to identify the IE advocates so I can publicly shame them now.
DC's top news station, WTOP, is now blocking access to IE browsers after a similar compromise: http://wtop.com/41/3313012/WTOP-vicitim-of-malicious-cyber-attack
You do know that IE can not be removed from Windows right? You do know MS was in big trouble with governments over it's bundling of IE and its LIES in court about it being impossible for them to remove?
Well, then you probably don't know about how Bush appointed MS to oversee it's own punishment after losing the court case... and that is why the problem continues unresolved...
Democracy Now! - uncensored, anti-establishment news
Evidently people who work on nuclear weapons... so...
I mean, "Evidently NOT people who work on nuclear weapons." It would have been right, but my browser (IE 6) messed up posting. I'm embarrassed. Fortunately, it sounds like I won't have to live with my shame for very long.
No, how about global thermonuclear war. How about Microsoft pushes updates for Internet Explorer to XP?
Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy.
So in addition to the 0-day exploit found in IE, what was exploited to put malicious links on the web site?
We don't blindly hate Microsoft; we've seen it all too much.
Time travel has its advantages.
This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)
If you're still using internet explorer 8, you deserve this. Microsoft is almost on IE11 at this point (looks like firefox). If it shipped with Vista, why are you still using it and thinking you're safe? While you're at it, why not use Windows XP and avoid security updates as well... If you don't like 8, install 7. If your programs aren't compatible with anything later than XP... well... those will have security that's so outdated you might as well just consider the entire system a liability and get insurance for the lawsuits.
You're completely incorrect about consumer behavior and market regulation, and your example of Nader is a fabulous example.
The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. It's also responsible for increased pedestrian and cyclist fatalities (known as early as Pelzman's 1975 study) and may even make drivers less safe.
48 years after his book, despite all the tremendous advances in engineering and materials science, instead of the average vehicle on US roads being sub-1000 lbs and getting 200MPG (very feasible to do considerably better than this for 1-2 passenger cars, c.f. the decade-old VW 1L prototype), the average vehicle is >4000 lb and gets worse than 20MPG, little better than in 1965.
The reason is a curb weight arms race caused by our absurd safety standards. The main way to meet crash test standards when faced with heavy vehicles is to increase your vehicle's weight.
Passenger collision safety involves tradeoffs- among other things, tradeoffs with performance, efficiency, cost, and the safety of others on the road. Nader refused to recognize these tradeoffs. Our current safety laws ignore these tradeoffs, and even if they took them into account, overriding consumers' preferences regarding these tradeoffs will lead to inefficient market outcomes.
If someone wants to purchase a more efficient, less expensive vehicle, the government shouldn't stop them just because it does slightly less well in collision tests. Consumers are perfectly capable of rationally choosing how much they're willing to trade guarantees of their own safety for other desiderata and vice versa.
Regulating externalities, on the other hand, is often OK. Vehicle safety requirements should be based ONLY on the damage caused in collisions to other road users (other drivers, pedestrians, cyclists) and their property. Heavier vehicles perform WORSE in such tests; we might consider having a weight-based Pigovian vehicle tax to offset the safety and pollution externalities for those heavier cars we're still willing to allow on the roads.
Providing consumers with more information is a good idea. I'm fine with performing tests and requiring companies to provide prospective buyers with that information. But requiring disclosure without regulating/prohibiting the sale of the product still allows for what I think most would call a "truly free market."
If using MS's software may brick your neighbor's PC, go ahead and hold MS to the fire. If using MS's software may brick your own computer, require testing and a warning label. But the kind of guarantees the OP seems to want to require would override consumer preferences in a way that would cripple the software industry.
Like this ?:
https://blog.mozilla.org/blog/2013/04/03/mozilla-and-samsung-collaborate-on-next-generation-web-browser-engine/
New things are always on the horizon
You know what else keeps fuel efficiency low? Big engines. Consumers have demanded them instead of efficient vehicles in part because we make driving artificially cheap by subsidizing road construction with more funds than we take in from gas taxes. Consumers are typically horrible at acting rationally in their own self interest and are far more likely to act on emotion and misinformation, although I don't think the government should necessarily take the nanny role in those situations.
Here I was hoping you were the real one. I'd rather have him around again instead of all these stupid APK troll posts.
The best is the time when the two of them managed to troll each other.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
I've never coded something in Erlang, but I believe Rust tried to copy the idea of message passing from Erlang.
I think message passing allows you to copy the data, which would mean you might not need to deal with cache coherence issues.
New things are always on the horizon