IE 0-Day Flaw Used In Chinese Attack 318
bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."
Re:Using Macs could have prevented this! (Score:2, Informative)
More than just IE (Score:5, Informative)
If you bother to RTFA (I must be new here, right?) you'll see that it wasn't JUST an IE zero-day that was used in the attack.
So IE is partially to blame, but you can't just say that this is MS's fault.
Not IE, Adobe's PDF Reader 0 day Flaw (Score:5, Informative)
From the article in this post: The previously unknown flaw in the IE browser was probably just one of the vectors used in the attacks .
I love the "probably"
Re:It's not stupidity (Score:3, Informative)
No sign of vanishing (Score:3, Informative)
IE shows no sign of vanishing from the corporate landscape
I work at a big company that takes an enormous number of precautions to secure and protect the confidential information of millions of people. And we still use IE6 with no sign of changing any time soon.
Re:It's not stupidity (Score:5, Informative)
According to TFA, this vulnerability was in IE6.
No, only IE 5.01 SP4 and IE 8 are not vulnerable without enabling "data execution prevention." The attackers apparently targeted IE 6, but nearly all other versions can be compromised.
From TFA:
"A security feature known as data execution prevention, which prevents data loaded into memory from being executed, will block the particular exploits McAfee has observed. But Kurtz warned the vulnerability exists in all versions of IE except for IE 5.01, service pack 4, and that it would be possible for attackers to work around the protection.
In an advisory, Microsoft recommended people use DEP, which by default is enabled in IE 8 but must be turned on in prior versions. The statement also advised users on Vista and later versions of Windows to run IE in protected mode. The advisory didn't say when an update would be released that patches the vulnerability."
Oh, but it doesn't count, right? (Score:5, Informative)
Because according to Microsoft, system vulnerability is determined by the following formula:
Vulnerability = (time of patch - time of discovery) * number of exploits.
Clearly, since the vulnerability was never publicly discovered, no patch was needed, right? Clearly, since the exploit was never published, it was not a security risk, right?
For years, those outside the FOSS community behaved as if an unknown or undiscovered (or rather, unpublished) exploit was not a security vulnerability for the purposes of calculating risk. Rather, we were led to believe, by MS and others, that only unpatched systems were vulnerable. For years, I watched as countless IT folks repeated the mantra that a fully patched MS system was just as secure as any other.
It always seemed obvious to me, but apparently not to others, that risk should be calculated using not on the time of discovery and publication, but rather, upon the ship date of the software. (i.e., a vulnerability discovered 3 years after ship date, but patched a month after discovery means your system was vulnerable for 39 months, instead of only one as the MS method calculated vulnerability.
I think Google is big enough that people will now recognize that system security is not just a matter of patch early, patch often, but also a characteristic of the entity behind the code. Despite what Microsoft marketing would have you believe, the company can't produce a secure OS because they understand neither the problem, nor even the question.
The reason Linux is more secure than Windows is due not merely to the fact that it is open source, but also because those who work with UNIX understand the problem of system security. It doesn't mean Linux is perfect, only that it fares much better from a total-risk perspective. Microsoft never really grasped that security was a fundamental system design consideration, rather than a problem to be patched on the back-end of SW development. While they have *tried* to address the security issues (and have been somewhat successful, but only due to their brute-force efforts), they still have a product-design mentality which places ship dates above system quality, and usability above overall security. The fact that they still consider anti-virus software and constant patching a normal part of computing indicates they've failed to grasp the lessons learned of the past 3 decades.
For Microsoft, security is a checkbox feature, not a way of doing business. Maybe, now that Google was compromised by a type of exploit Microsoft, et al, considered of minimal, if not zero, risk, the world will change its opinion of the acceptability of software requiring constant patches and add-on kludges (i.e. anti-virus sw) just to function normally.
Re:No sign of vanishing (Score:1, Informative)
Yeah, same here. And anonymous of course..
The reason we haven't changed is that many of our internal applications for timesheets, problem tracking, and just general reports work only with IE. I don't think the apps themselves are at fault, just the lazy-ass developers that wrote code that only works with ActiveX controls. These include Remedy, Mercury Sitescope, Clarity (time tracking), Notes, PeopleSoft and numerous reporting tools. It's only now becoming a big deal because the executives have started getting Macs and iPhones, Blackberrys and other non-IE devices and find that they can't check their email.
Re:A major security flaw in IE? (Score:5, Informative)
http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html [cnet.com]. The microtrolls are bad enough of the mods but leave the out and out lies alone it looks silly.
Re:A major security flaw in IE? (Score:3, Informative)
Apparently they did -- or at least let them inspect/study it:
http://news.cnet.com/China-looks-into-Windows-code/2100-1016_3-5083458.html [cnet.com]
Large national governments actually have enough leverage to get access to sourcecode that's not publicly available.
Re:A major security flaw in IE? (Score:4, Informative)
Oh really? (Score:3, Informative)
Well let's see here, how about we look at Firefox 3.0's list of vulnerabilities from Mozilla:
http://www.mozilla.org/security/known-vulnerabilities/firefox30.html [mozilla.org]
Lotta red on there, and red means "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
How about 3.5? Hasn't been out as long:
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html [mozilla.org]
Less over all, as you'd expect, but seems an even greater percentage are critical risk.
Seems to me Firefox has plenty of holes, with new ones getting discovered all the time. I mean please remember 3.5 has been out for about half a year. There's been 7 updates, 5 of which have addresses critical problems, often multiple ones.
So it seems that indeed people ARE finding holes in Firefox. Mozilla is doing as they should and fixing them, but please let's not pretend like there are plenty there that have needed fixing.
Re:citation needed (Score:3, Informative)
According to that link, the XPS viewer is opening the XPS document in the default web browser which is Firefox. However, Firefox does not know how to render the Microsoft-specific XPS format and IE does.
This is not a Firefox problem, it is a problem with the implementors of the XPS viewer.
Re:Tools and Ethics (Score:2, Informative)
through the use of capabilities-based security, you CAN detect nefarious behavior. too bad there's still no user-accessible way to configure selinux. it's left up to the packagers etc, which is a fail.