Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites

Posted by timothy on from the now-this-gives-pause dept.

SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8. ... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"

31 of 157 comments (clear)

  1. Somebody in the government... by Kildjean · · Score: 2

    Just lost their job... The same idiot that insisted in "lets make all our content only available through IE"...

    --
    Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
    1. Re:Somebody in the government... by rabbit994 · · Score: 3, Insightful

      I want whatever you are smoking. No one will lose their job over this because A) It's a government worker B) MIcrosoft is like IBM in government, no one gets fired for picking it.

    2. Re:Somebody in the government... by gstoddart · · Score: 4, Insightful

      I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

      It's often referred to as the Peter Principle, and I assure you, the exact same thing happens in private industry all of the time.

      It's not unique to governments.

      --
      Lost at C:>. Found at C.
  2. Would you Like to Play a Game ? by Anonymous Coward · · Score: 2, Funny

    How about Global ThermoNuclear War..

    1. Re:Would you Like to Play a Game ? by Hsien-Ko · · Score: 4, Funny

      Powered by Internet Exploder!

  3. Hold Microsoft Responsible by Murdoch5 · · Score: 5, Insightful

    If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?

    1. Re:Hold Microsoft Responsible by Anonymous Coward · · Score: 5, Insightful

      No. This was not gross negligence. This was not a bug that would affect anyone under conditions remotely close to normal. This is something that is being actively exploited by someone (the criminal in this case) in a way never intended by the programmers. It'd be like suing the people who made the bullets used in the Sandy Hook massacre. Not only that, they probably agreed when they installed the software not to hold the software company responsible for anything. The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.

    2. Re:Hold Microsoft Responsible by bill_mcgonigle · · Score: 4, Insightful

      If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible

      And if you discover that software bug and issue fixes and notices and your customers fail to implement the fix, is it still your fault?

      This one ... OK, this makes me a little twitchy ... isn't Microsoft's fault.

      It's 2013. Why are they still running IE8 for anything where security is a concern? Windows 7 has been out for 4 years and IE9 for 2. IE10 is out, and two months should be enough to do a patch deployment, but even if it's borderline, by most accounts IE9/10 are not the horrible bags of garbage that the old versions were.

      Who is not doing patch management? Who is allowing XP machines near critical systems? Who chose IE8 over Firefox when that decision was made? Did somebody specify an IE6-only solution prior to that, ignoring standards and best practices, leading to a chain reaction of a mess? Who is not cleaning that up?

      Answer those questions and you'll find those responsible for today's vulnerable IT landscape.

      And, of course the primary responsibility lies with those coordinating the attacks. But we know those people are out there. If a clerk forgets to close up the store at night and goes home with the front door open, it's not that he is responsible for the burglars' actions, but he's also not doing his job and won't be working there the next day.

      </ick>

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Hold Microsoft Responsible by femtobyte · · Score: 2

      If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible.

      Only if your company isn't big enough to act with virtual impunity. Who was put in jail when BP murdered twelve people and devastated the gulf coast ecosystem, in order to cut maintenance costs?

    4. Re:Hold Microsoft Responsible by Murdoch5 · · Score: 2

      I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.

    5. Re:Hold Microsoft Responsible by Onymous+Coward · · Score: 5, Insightful

      Yeah, that's the problem with a truly free market. Consumers are stupid and inattentive, corporations are clever and evasive.

      If every consumer were Ralph Nader I'd be a free market zealot. As that's not the case we have to find a different way to assure corporations behave themselves.

    6. Re:Hold Microsoft Responsible by Cenan · · Score: 5, Interesting

      Exactly this.
      Some of us are stuck with legacy systems, built with legacy tools and the original developers are long, long gone. While we try to unwind the horrible spaghetti mess that is our core business software, we have to make due with Win-XP VMs and all sorts of neat tricks to keep the rickety shit from collapsing in on itself.

      (Incidently, if any of you reading this worked at Borland/Inprise in the late nineties: hello how ar... FUCK YOU! and fuck your ridiculous fucking desktop database fucking crap. You fucking morons have no fucking clue how to nail a board onto another board, and you should all be lined up and punched in the dick. /rant)

      --
      ... whatever ...
    7. Re:Hold Microsoft Responsible by bill_mcgonigle · · Score: 2

      If a bug is found 20 years after your software is released then there is still a bug and you should still offer a patch.

      Forever, for free? Or are you planning to pay $10K up front for Windows 3.1? Or $99/yr for software maintenance on it?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    8. Re:Hold Microsoft Responsible by Lumpy · · Score: 4, Informative

      Then your legacy system is severed from any public lan. your security goes up by 600% if you remove it from having the ability to do ANYTHING but what it is needed for. No you cant email. No you cant surf. No network access. you can only use a SANATIZED USB drive to copy the files needed off of the unit.

      Not hard to keep them hacker proof if the IT and ITS departments know what they are doing.

      --
      Do not look at laser with remaining good eye.
    9. Re:Hold Microsoft Responsible by Murdoch5 · · Score: 5, Insightful

      This is why open source is the best software model on the market! You find a bug and you know how to fix it, go ahead, if you can't fix it but submit a bug report your almost always guaranteed another programmer can fix it. If your company adapts a closed software model then you should offer the same level of support as open source, meaning if someone finds a bug the company offers a fix. The lifetime of the software shouldn't matter, a bug today is a bug in 30 years and should be treated the same way. Yes most people will upgrade but for the few that have no need they should still get support.

    10. Re:Hold Microsoft Responsible by RabidReindeer · · Score: 2

      I think it's BS personally, if I build a bridge and it fails I'm held responsible. If I build a electronic system that fails and it hurts someone I'm responsible. If I'm a doctor and hurt someone same deal, if I'm a programmer and someone gets hurt from me code I wipe the chips from my beard, tuck my Hawaiian shirt in and go home.

      Well, are you willing to pay for software development costs that include developers carrying insurance the way that doctors and engineering firms do? Are you willing to spend the amount of money it takes to hire competent developers? Are you willing to wait a significant amount of time so that the software design is thoroughly vetted and tested instead of just rammed out the door?

      Or do you want your Lower Prices Everyday - Git-er-Dun cheap crap?

    11. Re:Hold Microsoft Responsible by jeffmeden · · Score: 3, Insightful

      If it's a municipality? Document it and deliver a nice anonymous tip to the local news how the supervisors there are risking the public with their incompetence.. News LOVES that kind of story.

      You have a lot of options, Public humiliation tends to get the fastest results.

      Hello, channel 5? Yes, I want to report that the administrators in Washington Township decided to take a computer running Internet Explorer 8, and connect it to the PUBLIC INTERNET! Can you believe the incompe-- Yes, I will hold. Hello?

    12. Re:Hold Microsoft Responsible by cavreader · · Score: 2

      This is one of the first statements I have seen that forwards the idea that application software is possibly responsible for creating problems. Everyone seems to dump on MS and ignore the problems that applications can introduce. The MS blue screen was a symptom of problems in the 3rd party hardware drivers and API's from the start. MS has always tried to allow for a wide range of 3rd party hardware. Apple and MS have pursued opposite buisness models since they first arrived on the seen. Apple opted for controlling all aspects of the hardware while MS went the commodity hardware route. This allowed Apple to have more control over their hardware but that resulted in Apples products being more expensive than comparable MS offerings. The higher prices could not really compete in the buisness world where price always seems to be the deciding factor. Apple almost went bankrupt. MS actually invested considerable funds to help Apple make it through that period. The MS buisness model allowed MS to take a demanding lead in the desktop and application market. I also tend to see people worrying about which browser provides the best performance. Browser performance means nothing if the web content or web applications are poorly designed. Now you can pick the fastest browser and throw hardware at the performance problem but that band-aid only works to a certain point. This also applies to picking an OS based on performance bench marks.

  4. Where are the stand alone machines? by Picass0 · · Score: 2

    It would could far less than incident analysis and cleanup to provide dedicated machines for external web use. Companies and agencies that tollerate occasional surfing should have machines that do not share the internal network.

    1. Re:Where are the stand alone machines? by h4rr4r · · Score: 2

      All that stuff costs money.
      People will complain the government is wasting their tax dollars if they ever tried to spend money on that.

  5. Re:Wow by solkanar · · Score: 2

    Yea, the doctor could have known.

  6. Re:Where's The Java-Like Outrage? by satuon · · Score: 2

    I've already removed it in favor of Chrome.

  7. Re:Where's The Java-Like Outrage? by cavreader · · Score: 2

    I will let you in on a secret. There is only tiny number of wannabe IT experts who are "outraged" while everybody else saves their indignation for shit that really matters. And as far as software bugs go name one program more complicated than "Hello World" that doesn't have bugs. If you want bug free software you might as well get used to a 10 year release cycle becuase that is how long it would take to guarantee bug free software. Of course that puts a real crimp in the advancement of any actual hardware, especially processors. Anyone running highly critical applications such as utilities have all the tools, policies, and procedures necessary to secure their networks and applications. If some moron allows Internet access to their secure system than yes they should be held accountable for incompetence and fired. However you can't always rely on someone not doing something stupid. The most frequent vector used today is through phishing and spearing attacks via a persons e-mail and clever social manipulation. In the case of this exploit it compromised a Internet site that is little more than a brochure site with non-critical information. People brayed about the latest batch of script kiddies defacing the FBI and US Congress sites but that does not mean they got access into any secure systems. Outward facing websites should never be designed to allow someone into a secured network and when it is easy to configure and design such a system. But like I said you can't rely on everyone being competent.

  8. Where'd the malicious links come from? by jonathanjespersen · · Score: 2
    From the article:

    Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy.

    So in addition to the 0-day exploit found in IE, what was exploited to put malicious links on the web site?

  9. Re:Wow by colinrichardday · · Score: 3, Funny

    We don't blindly hate Microsoft; we've seen it all too much.

  10. Re:Wow by colinrichardday · · Score: 2

    Time travel has its advantages.

  11. Stop calling everything a 0-day attack! by MobyDisk · · Score: 4, Insightful

    This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)

  12. Re:Remove IE? by yuhong · · Score: 2

    IE can be removed enough from Vista and later that it's engine is not easily used for untrusted content.

  13. Re:plain shoddy, and v. others? by yuhong · · Score: 2

    IE9 and later are not affected by this zero day.

  14. Re:Where's The Java-Like Outrage? by JDG1980 · · Score: 3, Informative

    Because the Java exploits applied to the latest, fully patched version – not an old version which has been superseded for more than 2 years.

  15. BOO TO NADER by jensend · · Score: 2

    You're completely incorrect about consumer behavior and market regulation, and your example of Nader is a fabulous example.

    The Nader-inspired passenger safety craze is directly responsible for the horrendously low average MPG in the USA and all the attendant environmental and political problems. It's also responsible for increased pedestrian and cyclist fatalities (known as early as Pelzman's 1975 study) and may even make drivers less safe.

    48 years after his book, despite all the tremendous advances in engineering and materials science, instead of the average vehicle on US roads being sub-1000 lbs and getting 200MPG (very feasible to do considerably better than this for 1-2 passenger cars, c.f. the decade-old VW 1L prototype), the average vehicle is >4000 lb and gets worse than 20MPG, little better than in 1965.

    The reason is a curb weight arms race caused by our absurd safety standards. The main way to meet crash test standards when faced with heavy vehicles is to increase your vehicle's weight.

    Passenger collision safety involves tradeoffs- among other things, tradeoffs with performance, efficiency, cost, and the safety of others on the road. Nader refused to recognize these tradeoffs. Our current safety laws ignore these tradeoffs, and even if they took them into account, overriding consumers' preferences regarding these tradeoffs will lead to inefficient market outcomes.

    If someone wants to purchase a more efficient, less expensive vehicle, the government shouldn't stop them just because it does slightly less well in collision tests. Consumers are perfectly capable of rationally choosing how much they're willing to trade guarantees of their own safety for other desiderata and vice versa.

    Regulating externalities, on the other hand, is often OK. Vehicle safety requirements should be based ONLY on the damage caused in collisions to other road users (other drivers, pedestrians, cyclists) and their property. Heavier vehicles perform WORSE in such tests; we might consider having a weight-based Pigovian vehicle tax to offset the safety and pollution externalities for those heavier cars we're still willing to allow on the roads.

    Providing consumers with more information is a good idea. I'm fine with performing tests and requiring companies to provide prospective buyers with that information. But requiring disclosure without regulating/prohibiting the sale of the product still allows for what I think most would call a "truly free market."

    If using MS's software may brick your neighbor's PC, go ahead and hold MS to the fire. If using MS's software may brick your own computer, require testing and a warning label. But the kind of guarantees the OP seems to want to require would override consumer preferences in a way that would cripple the software industry.