Internet Explorer 0-day Attacks On US Nuke Workers Hit 9 Other Sites

SternisheFan writes with an excerpt from Ars Technica: "Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said. The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8. ... 'The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium,' CrowdStrike said. 'Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector.'"

Hold Microsoft Responsible

[Murdoch5]

If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible. If I start a company who dumps oil into the ocean by accident and it kills people / animals I'm held responsible. So shouldn't company's who release buggy software be held responsible for damages and compensation?

Re:Hold Microsoft Responsible

No. This was not gross negligence. This was not a bug that would affect anyone under conditions remotely close to normal. This is something that is being actively exploited by someone (the criminal in this case) in a way never intended by the programmers. It'd be like suing the people who made the bullets used in the Sandy Hook massacre. Not only that, they probably agreed when they installed the software not to hold the software company responsible for anything. The way the system works, if Microsoft does this enough and demonstrates that they cannot create secure products, the market (cue angel choir) will punish them.

Re:Hold Microsoft Responsible

[bill_mcgonigle]

If I make a medical device that has a serious software bug and goes awall and kills people I'm held responsible

And if you discover that software bug and issue fixes and notices and your customers fail to implement the fix, is it still your fault?

This one ... OK, this makes me a little twitchy ... isn't Microsoft's fault.

It's 2013. Why are they still running IE8 for anything where security is a concern? Windows 7 has been out for 4 years and IE9 for 2. IE10 is out, and two months should be enough to do a patch deployment, but even if it's borderline, by most accounts IE9/10 are not the horrible bags of garbage that the old versions were.

Who is not doing patch management? Who is allowing XP machines near critical systems? Who chose IE8 over Firefox when that decision was made? Did somebody specify an IE6-only solution prior to that, ignoring standards and best practices, leading to a chain reaction of a mess? Who is not cleaning that up?

Answer those questions and you'll find those responsible for today's vulnerable IT landscape.

And, of course the primary responsibility lies with those coordinating the attacks. But we know those people are out there. If a clerk forgets to close up the store at night and goes home with the front door open, it's not that he is responsible for the burglars' actions, but he's also not doing his job and won't be working there the next day.

</ick>

Re:Hold Microsoft Responsible

[Onymous+Coward]

Yeah, that's the problem with a truly free market. Consumers are stupid and inattentive, corporations are clever and evasive.

If every consumer were Ralph Nader I'd be a free market zealot. As that's not the case we have to find a different way to assure corporations behave themselves.

Re:Hold Microsoft Responsible

[Cenan]

Exactly this.
Some of us are stuck with legacy systems, built with legacy tools and the original developers are long, long gone. While we try to unwind the horrible spaghetti mess that is our core business software, we have to make due with Win-XP VMs and all sorts of neat tricks to keep the rickety shit from collapsing in on itself.

(Incidently, if any of you reading this worked at Borland/Inprise in the late nineties: hello how ar... FUCK YOU! and fuck your ridiculous fucking desktop database fucking crap. You fucking morons have no fucking clue how to nail a board onto another board, and you should all be lined up and punched in the dick. /rant)

Re:Hold Microsoft Responsible

[Lumpy]

Then your legacy system is severed from any public lan. your security goes up by 600% if you remove it from having the ability to do ANYTHING but what it is needed for. No you cant email. No you cant surf. No network access. you can only use a SANATIZED USB drive to copy the files needed off of the unit.

Not hard to keep them hacker proof if the IT and ITS departments know what they are doing.

Re:Hold Microsoft Responsible

[Murdoch5]

This is why open source is the best software model on the market! You find a bug and you know how to fix it, go ahead, if you can't fix it but submit a bug report your almost always guaranteed another programmer can fix it. If your company adapts a closed software model then you should offer the same level of support as open source, meaning if someone finds a bug the company offers a fix. The lifetime of the software shouldn't matter, a bug today is a bug in 30 years and should be treated the same way. Yes most people will upgrade but for the few that have no need they should still get support.

Re:Hold Microsoft Responsible

[jeffmeden]

If it's a municipality? Document it and deliver a nice anonymous tip to the local news how the supervisors there are risking the public with their incompetence.. News LOVES that kind of story.

You have a lot of options, Public humiliation tends to get the fastest results.

Hello, channel 5? Yes, I want to report that the administrators in Washington Township decided to take a computer running Internet Explorer 8, and connect it to the PUBLIC INTERNET! Can you believe the incompe-- Yes, I will hold. Hello?

Re:Would you Like to Play a Game ?

[Hsien-Ko]

Powered by Internet Exploder!

Re:Somebody in the government...

[rabbit994]

I want whatever you are smoking. No one will lose their job over this because A) It's a government worker B) MIcrosoft is like IBM in government, no one gets fired for picking it.

Re:Wow

[colinrichardday]

We don't blindly hate Microsoft; we've seen it all too much.

Stop calling everything a 0-day attack!

[MobyDisk]

This was a known patched vulnerability in an old version of IE. It was not a 0-day vulnerability. A 0-day vulnerability is one where there were 0 days to fix it because it was exploited before the software vendor knew about it. Stop using that term for every single headline! (Not blaming Slashdot this time - The title is straight from the arstechnica article)

Re:Somebody in the government...

[gstoddart]

I used to work for the government, long enough to know that the most incompetent people are always promoted to management.

It's often referred to as the Peter Principle, and I assure you, the exact same thing happens in private industry all of the time.

It's not unique to governments.

Re:Where's The Java-Like Outrage?

[JDG1980]

Because the Java exploits applied to the latest, fully patched version – not an old version which has been superseded for more than 2 years.